From 03e51ee8acea7d72a13aea96f60bb726087136ee Mon Sep 17 00:00:00 2001 From: m-hogue Date: Wed, 6 Sep 2017 14:33:11 -0400 Subject: [PATCH] NIFI-4335: Changed SSLContextService implementations to RestrictedSSLContextService for all Listen* processors This closes #2131. Signed-off-by: Andy LoPresto --- .../nifi/processors/beats/ListenBeats.java | 3 ++- .../nifi/processors/email/ListenSMTP.java | 3 ++- .../nifi/processors/email/TestListenSMTP.java | 3 ++- .../nifi/processors/grpc/ListenGRPC.java | 15 +++++++++++---- .../lumberjack/ListenLumberjack.java | 3 ++- .../AbstractSiteToSiteReportingTask.java | 3 ++- .../nifi-slack-processors/pom.xml | 5 +++++ .../nifi/processors/slack/TestServer.java | 18 +++++++++--------- .../standard/HandleHttpRequest.java | 3 ++- .../nifi/processors/standard/ListenRELP.java | 3 ++- .../processors/standard/ListenSyslog.java | 3 ++- .../nifi/processors/standard/ListenTCP.java | 3 ++- .../processors/standard/ListenTCPRecord.java | 3 ++- .../nifi/processors/slack/TestServer.java | 19 ++++++++++--------- .../processors/standard/TestListenTCP.java | 9 +++++---- .../standard/TestListenTCPRecord.java | 9 +++++---- .../cache/server/DistributedCacheServer.java | 4 ++-- .../nifi/websocket/WebSocketService.java | 4 ++-- 18 files changed, 69 insertions(+), 44 deletions(-) diff --git a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java index 0582f537ad..af5d1b4acb 100644 --- a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java +++ b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java @@ -58,6 +58,7 @@ import org.apache.nifi.processors.beats.frame.BeatsEncoder; import org.apache.nifi.processors.beats.handler.BeatsSocketChannelHandlerFactory; import org.apache.nifi.processors.beats.response.BeatsChannelResponse; import org.apache.nifi.processors.beats.response.BeatsResponse; +import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @InputRequirement(InputRequirement.Requirement.INPUT_FORBIDDEN) @@ -81,7 +82,7 @@ public class ListenBeats extends AbstractListenEventBatchingProcessornifi-ssl-context-service test + + org.apache.nifi + nifi-ssl-context-service-api + test + diff --git a/nifi-nar-bundles/nifi-slack-bundle/nifi-slack-processors/src/test/java/org/apache/nifi/processors/slack/TestServer.java b/nifi-nar-bundles/nifi-slack-bundle/nifi-slack-processors/src/test/java/org/apache/nifi/processors/slack/TestServer.java index 6506fd8afe..d8a8e6a934 100644 --- a/nifi-nar-bundles/nifi-slack-bundle/nifi-slack-processors/src/test/java/org/apache/nifi/processors/slack/TestServer.java +++ b/nifi-nar-bundles/nifi-slack-bundle/nifi-slack-processors/src/test/java/org/apache/nifi/processors/slack/TestServer.java @@ -16,7 +16,7 @@ */ package org.apache.nifi.processors.slack; -import org.apache.nifi.ssl.StandardSSLContextService; +import org.apache.nifi.ssl.StandardRestrictedSSLContextService; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; @@ -79,16 +79,16 @@ public class TestServer { private void createSecureConnector(final Map sslProperties) { SslContextFactory ssl = new SslContextFactory(); - if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) { - ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName())); - ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName())); - ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName())); + if (sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()) != null) { + ssl.setKeyStorePath(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName())); + ssl.setKeyStorePassword(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_PASSWORD.getName())); + ssl.setKeyStoreType(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_TYPE.getName())); } - if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) { - ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName())); - ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName())); - ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName())); + if (sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()) != null) { + ssl.setTrustStorePath(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName())); + ssl.setTrustStorePassword(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_PASSWORD.getName())); + ssl.setTrustStoreType(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_TYPE.getName())); } final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java index 3dd46f9fce..f532ca2290 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java @@ -64,6 +64,7 @@ import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.standard.util.HTTPUtils; +import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.HttpConfiguration; @@ -145,7 +146,7 @@ public class HandleHttpRequest extends AbstractProcessor { .description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only HTTPS requests; " + "otherwise, the server will accept only HTTP requests") .required(false) - .identifiesControllerService(SSLContextService.class) + .identifiesControllerService(RestrictedSSLContextService.class) .build(); public static final PropertyDescriptor URL_CHARACTER_SET = new PropertyDescriptor.Builder() .name("Default URL Character Set") diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java index 7400862d98..3822ec5dbf 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java @@ -47,6 +47,7 @@ import org.apache.nifi.processors.standard.relp.handler.RELPSocketChannelHandler import org.apache.nifi.processors.standard.relp.response.RELPChannelResponse; import org.apache.nifi.processors.standard.relp.response.RELPResponse; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import javax.net.ssl.SSLContext; @@ -83,7 +84,7 @@ public class ListenRELP extends AbstractListenEventBatchingProcessor .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " + "messages will be received over a secure connection.") .required(false) - .identifiesControllerService(SSLContextService.class) + .identifiesControllerService(RestrictedSSLContextService.class) .build(); public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() .name("Client Auth") diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java index ac874d5351..d841e1588a 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java @@ -74,6 +74,7 @@ import org.apache.nifi.processors.standard.syslog.SyslogAttributes; import org.apache.nifi.processors.standard.syslog.SyslogEvent; import org.apache.nifi.processors.standard.syslog.SyslogParser; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @SupportsBatching @@ -175,7 +176,7 @@ public class ListenSyslog extends AbstractSyslogProcessor { .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, syslog " + "messages will be received over a secure connection.") .required(false) - .identifiesControllerService(SSLContextService.class) + .identifiesControllerService(RestrictedSSLContextService.class) .build(); public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() .name("Client Auth") diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java index 86554c812f..e034546da0 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java @@ -38,6 +38,7 @@ import org.apache.nifi.processor.util.listen.event.StandardEventFactory; import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; import org.apache.nifi.processor.util.listen.handler.socket.SocketChannelHandlerFactory; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import javax.net.ssl.SSLContext; @@ -72,7 +73,7 @@ public class ListenTCP extends AbstractListenEventBatchingProcessor sslProperties) { SslContextFactory ssl = new SslContextFactory(); - if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) { - ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName())); - ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName())); - ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName())); + if (sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()) != null) { + ssl.setKeyStorePath(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName())); + ssl.setKeyStorePassword(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_PASSWORD.getName())); + ssl.setKeyStoreType(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_TYPE.getName())); } - if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) { - ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName())); - ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName())); - ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName())); + if (sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()) != null) { + ssl.setTrustStorePath(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName())); + ssl.setTrustStorePassword(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_PASSWORD.getName())); + ssl.setTrustStoreType(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_TYPE.getName())); } final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java index ef05eab6c4..08127d1e03 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java @@ -22,6 +22,7 @@ import org.apache.nifi.processor.ProcessSessionFactory; import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.ssl.SSLContextService; +import org.apache.nifi.ssl.StandardRestrictedSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.TestRunner; @@ -107,7 +108,7 @@ public class TestListenTCP { } @Test - public void testTLSClienAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, + public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); @@ -140,7 +141,7 @@ public class TestListenTCP { } @Test - public void testTLSClienAuthRequiredAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, + public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); @@ -169,7 +170,7 @@ public class TestListenTCP { } @Test - public void testTLSClienAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, + public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name()); @@ -258,7 +259,7 @@ public class TestListenTCP { } private SSLContextService configureProcessorSslContextService() throws InitializationException { - final SSLContextService sslContextService = new StandardSSLContextService(); + final SSLContextService sslContextService = new StandardRestrictedSSLContextService(); runner.addControllerService("ssl-context", sslContextService); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest"); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java index 6174715655..7314f98532 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java @@ -27,6 +27,7 @@ import org.apache.nifi.serialization.RecordReaderFactory; import org.apache.nifi.serialization.RecordSetWriterFactory; import org.apache.nifi.serialization.record.MockRecordWriter; import org.apache.nifi.ssl.SSLContextService; +import org.apache.nifi.ssl.StandardRestrictedSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.TestRunner; @@ -152,7 +153,7 @@ public class TestListenTCPRecord { } @Test - public void testTLSClienAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, + public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); @@ -182,7 +183,7 @@ public class TestListenTCPRecord { } @Test - public void testTLSClienAuthRequiredAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, + public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException { runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); @@ -200,7 +201,7 @@ public class TestListenTCPRecord { } @Test - public void testTLSClienAuthNoneAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, + public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException { runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name()); @@ -263,7 +264,7 @@ public class TestListenTCPRecord { } private SSLContextService configureProcessorSslContextService() throws InitializationException { - final SSLContextService sslContextService = new StandardSSLContextService(); + final SSLContextService sslContextService = new StandardRestrictedSSLContextService(); runner.addControllerService("ssl-context", sslContextService); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest"); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedCacheServer.java b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedCacheServer.java index 44419b58f8..0643c1be6a 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedCacheServer.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedCacheServer.java @@ -26,7 +26,7 @@ import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.ssl.SSLContextService; +import org.apache.nifi.ssl.RestrictedSSLContextService; public abstract class DistributedCacheServer extends AbstractControllerService { @@ -46,7 +46,7 @@ public abstract class DistributedCacheServer extends AbstractControllerService { .description("If specified, this service will be used to create an SSL Context that will be used " + "to secure communications; if not specified, communications will not be secure") .required(false) - .identifiesControllerService(SSLContextService.class) + .identifiesControllerService(RestrictedSSLContextService.class) .build(); public static final PropertyDescriptor MAX_CACHE_ENTRIES = new PropertyDescriptor.Builder() .name("Maximum Cache Entries") diff --git a/nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-api/src/main/java/org/apache/nifi/websocket/WebSocketService.java b/nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-api/src/main/java/org/apache/nifi/websocket/WebSocketService.java index f86581b7e5..90a3a3805f 100644 --- a/nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-api/src/main/java/org/apache/nifi/websocket/WebSocketService.java +++ b/nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-api/src/main/java/org/apache/nifi/websocket/WebSocketService.java @@ -19,7 +19,7 @@ package org.apache.nifi.websocket; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.processor.Processor; -import org.apache.nifi.ssl.SSLContextService; +import org.apache.nifi.ssl.RestrictedSSLContextService; import java.io.IOException; @@ -34,7 +34,7 @@ public interface WebSocketService extends ControllerService { .description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only WSS requests; " + "otherwise, the server will accept only WS requests") .required(false) - .identifiesControllerService(SSLContextService.class) + .identifiesControllerService(RestrictedSSLContextService.class) .build(); void registerProcessor(final String endpointId, final Processor processor) throws WebSocketConfigurationException;