NIFI-4335: Changed SSLContextService implementations to RestrictedSSLContextService for all Listen* processors

This closes #2131.

Signed-off-by: Andy LoPresto <alopresto@apache.org>
This commit is contained in:
m-hogue 2017-09-06 14:33:11 -04:00 committed by Andy LoPresto
parent c10ff574c4
commit 03e51ee8ac
No known key found for this signature in database
GPG Key ID: 6EC293152D90B61D
18 changed files with 69 additions and 44 deletions

View File

@ -58,6 +58,7 @@ import org.apache.nifi.processors.beats.frame.BeatsEncoder;
import org.apache.nifi.processors.beats.handler.BeatsSocketChannelHandlerFactory; import org.apache.nifi.processors.beats.handler.BeatsSocketChannelHandlerFactory;
import org.apache.nifi.processors.beats.response.BeatsChannelResponse; import org.apache.nifi.processors.beats.response.BeatsChannelResponse;
import org.apache.nifi.processors.beats.response.BeatsResponse; import org.apache.nifi.processors.beats.response.BeatsResponse;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
@InputRequirement(InputRequirement.Requirement.INPUT_FORBIDDEN) @InputRequirement(InputRequirement.Requirement.INPUT_FORBIDDEN)
@ -81,7 +82,7 @@ public class ListenBeats extends AbstractListenEventBatchingProcessor<BeatsEvent
"messages will be received over a secure connection.") "messages will be received over a secure connection.")
// Nearly all Lumberjack v1 implementations require TLS to work. v2 implementations (i.e. beats) have TLS as optional // Nearly all Lumberjack v1 implementations require TLS to work. v2 implementations (i.e. beats) have TLS as optional
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
@Override @Override

View File

@ -50,6 +50,7 @@ import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.email.smtp.SmtpConsumer; import org.apache.nifi.processors.email.smtp.SmtpConsumer;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.subethamail.smtp.MessageContext; import org.subethamail.smtp.MessageContext;
@ -124,7 +125,7 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor {
.description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, "
+ "messages will be received over a secure connection.") + "messages will be received over a secure connection.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder()

View File

@ -28,6 +28,7 @@ import org.apache.commons.mail.EmailException;
import org.apache.commons.mail.SimpleEmail; import org.apache.commons.mail.SimpleEmail;
import org.apache.nifi.remote.io.socket.NetworkUtils; import org.apache.nifi.remote.io.socket.NetworkUtils;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService;
import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunner;
import org.apache.nifi.util.TestRunners; import org.apache.nifi.util.TestRunners;
@ -100,7 +101,7 @@ public class TestListenSMTP {
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3"); runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
// Setup the SSL Context // Setup the SSL Context
SSLContextService sslContextService = new StandardSSLContextService(); SSLContextService sslContextService = new StandardRestrictedSSLContextService();
runner.addControllerService("ssl-context", sslContextService); runner.addControllerService("ssl-context", sslContextService);
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest");

View File

@ -35,6 +35,7 @@ import org.apache.nifi.processor.ProcessSessionFactory;
import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import java.io.FileInputStream; import java.io.FileInputStream;
@ -82,25 +83,29 @@ public class ListenGRPC extends AbstractSessionFactoryProcessor {
// properties // properties
public static final PropertyDescriptor PROP_SERVICE_PORT = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_SERVICE_PORT = new PropertyDescriptor.Builder()
.name("Local gRPC service port") .name("Local gRPC service port")
.displayName("Local gRPC Service Port")
.description("The local port that the gRPC service will listen on.") .description("The local port that the gRPC service will listen on.")
.required(true) .required(true)
.addValidator(StandardValidators.PORT_VALIDATOR) .addValidator(StandardValidators.PORT_VALIDATOR)
.build(); .build();
public static final PropertyDescriptor PROP_USE_SECURE = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_USE_SECURE = new PropertyDescriptor.Builder()
.name("Use SSL/TLS") .name("Use TLS")
.description("Whether or not to use SSL/TLS to send the contents of the gRPC messages.") .displayName("Use TLS")
.description("Whether or not to use TLS to send the contents of the gRPC messages.")
.required(false) .required(false)
.defaultValue("false") .defaultValue("false")
.allowableValues("true", "false") .allowableValues("true", "false")
.build(); .build();
public static final PropertyDescriptor PROP_SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
.name("SSL Context Service") .name("SSL Context Service")
.description("The SSL Context Service used to provide client certificate information for TLS/SSL (https) connections.") .displayName("SSL Context Service")
.description("The SSL Context Service used to provide client certificate information for TLS (https) connections.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor PROP_FLOW_CONTROL_WINDOW = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_FLOW_CONTROL_WINDOW = new PropertyDescriptor.Builder()
.name("Flow Control Window") .name("Flow Control Window")
.displayName("Flow Control Window")
.description("The initial HTTP/2 flow control window for both new streams and overall connection." + .description("The initial HTTP/2 flow control window for both new streams and overall connection." +
" Flow-control schemes ensure that streams on the same connection do not destructively interfere with each other." + " Flow-control schemes ensure that streams on the same connection do not destructively interfere with each other." +
" The default is 1MB.") " The default is 1MB.")
@ -110,6 +115,7 @@ public class ListenGRPC extends AbstractSessionFactoryProcessor {
.build(); .build();
public static final PropertyDescriptor PROP_MAX_MESSAGE_SIZE = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_MAX_MESSAGE_SIZE = new PropertyDescriptor.Builder()
.name("Max Message Size") .name("Max Message Size")
.displayName("Maximum Message Size")
.description("The maximum size of FlowFiles that this processor will allow to be received." + .description("The maximum size of FlowFiles that this processor will allow to be received." +
" The default is 4MB. If FlowFiles exceed this size, you should consider using another transport mechanism" + " The default is 4MB. If FlowFiles exceed this size, you should consider using another transport mechanism" +
" as gRPC isn't designed for heavy payloads.") " as gRPC isn't designed for heavy payloads.")
@ -119,6 +125,7 @@ public class ListenGRPC extends AbstractSessionFactoryProcessor {
.build(); .build();
public static final PropertyDescriptor PROP_AUTHORIZED_DN_PATTERN = new PropertyDescriptor.Builder() public static final PropertyDescriptor PROP_AUTHORIZED_DN_PATTERN = new PropertyDescriptor.Builder()
.name("Authorized DN Pattern") .name("Authorized DN Pattern")
.displayName("Authorized DN Pattern")
.description("A Regular Expression to apply against the Distinguished Name of incoming connections. If the Pattern does not match the DN, the connection will be refused.") .description("A Regular Expression to apply against the Distinguished Name of incoming connections. If the Pattern does not match the DN, the connection will be refused.")
.required(true) .required(true)
.defaultValue(".*") .defaultValue(".*")

View File

@ -58,6 +58,7 @@ import org.apache.nifi.processors.lumberjack.frame.LumberjackEncoder;
import org.apache.nifi.processors.lumberjack.handler.LumberjackSocketChannelHandlerFactory; import org.apache.nifi.processors.lumberjack.handler.LumberjackSocketChannelHandlerFactory;
import org.apache.nifi.processors.lumberjack.response.LumberjackChannelResponse; import org.apache.nifi.processors.lumberjack.response.LumberjackChannelResponse;
import org.apache.nifi.processors.lumberjack.response.LumberjackResponse; import org.apache.nifi.processors.lumberjack.response.LumberjackResponse;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import com.google.gson.Gson; import com.google.gson.Gson;
@ -89,7 +90,7 @@ public class ListenLumberjack extends AbstractListenEventBatchingProcessor<Lumbe
"two-way SSL authentication, the controller MUST have a truststore and a keystore to work" + "two-way SSL authentication, the controller MUST have a truststore and a keystore to work" +
"properly.") "properly.")
.required(true) .required(true)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
@Override @Override

View File

@ -29,6 +29,7 @@ import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.remote.client.SiteToSiteClient; import org.apache.nifi.remote.client.SiteToSiteClient;
import org.apache.nifi.remote.protocol.SiteToSiteTransportProtocol; import org.apache.nifi.remote.protocol.SiteToSiteTransportProtocol;
import org.apache.nifi.remote.protocol.http.HttpProxy; import org.apache.nifi.remote.protocol.http.HttpProxy;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.util.StringUtils; import org.apache.nifi.util.StringUtils;
@ -67,7 +68,7 @@ public abstract class AbstractSiteToSiteReportingTask extends AbstractReportingT
.displayName("SSL Context Service") .displayName("SSL Context Service")
.description("The SSL Context Service to use when communicating with the destination. If not specified, communications will not be secure.") .description("The SSL Context Service to use when communicating with the destination. If not specified, communications will not be secure.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
static final PropertyDescriptor INSTANCE_URL = new PropertyDescriptor.Builder() static final PropertyDescriptor INSTANCE_URL = new PropertyDescriptor.Builder()
.name("Instance URL") .name("Instance URL")

View File

@ -80,5 +80,10 @@
<artifactId>nifi-ssl-context-service</artifactId> <artifactId>nifi-ssl-context-service</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-ssl-context-service-api</artifactId>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
</project> </project>

View File

@ -16,7 +16,7 @@
*/ */
package org.apache.nifi.processors.slack; package org.apache.nifi.processors.slack;
import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.ServerConnector;
@ -79,16 +79,16 @@ public class TestServer {
private void createSecureConnector(final Map<String, String> sslProperties) { private void createSecureConnector(final Map<String, String> sslProperties) {
SslContextFactory ssl = new SslContextFactory(); SslContextFactory ssl = new SslContextFactory();
if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) { if (sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()) != null) {
ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName())); ssl.setKeyStorePath(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()));
ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName())); ssl.setKeyStorePassword(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_PASSWORD.getName()));
ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName())); ssl.setKeyStoreType(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_TYPE.getName()));
} }
if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) { if (sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()) != null) {
ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName())); ssl.setTrustStorePath(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()));
ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName())); ssl.setTrustStorePassword(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_PASSWORD.getName()));
ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName())); ssl.setTrustStoreType(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_TYPE.getName()));
} }
final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH); final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);

View File

@ -64,6 +64,7 @@ import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.standard.util.HTTPUtils; import org.apache.nifi.processors.standard.util.HTTPUtils;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConfiguration;
@ -145,7 +146,7 @@ public class HandleHttpRequest extends AbstractProcessor {
.description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only HTTPS requests; " .description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only HTTPS requests; "
+ "otherwise, the server will accept only HTTP requests") + "otherwise, the server will accept only HTTP requests")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor URL_CHARACTER_SET = new PropertyDescriptor.Builder() public static final PropertyDescriptor URL_CHARACTER_SET = new PropertyDescriptor.Builder()
.name("Default URL Character Set") .name("Default URL Character Set")

View File

@ -47,6 +47,7 @@ import org.apache.nifi.processors.standard.relp.handler.RELPSocketChannelHandler
import org.apache.nifi.processors.standard.relp.response.RELPChannelResponse; import org.apache.nifi.processors.standard.relp.response.RELPChannelResponse;
import org.apache.nifi.processors.standard.relp.response.RELPResponse; import org.apache.nifi.processors.standard.relp.response.RELPResponse;
import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
@ -83,7 +84,7 @@ public class ListenRELP extends AbstractListenEventBatchingProcessor<RELPEvent>
.description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " + .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " +
"messages will be received over a secure connection.") "messages will be received over a secure connection.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder()
.name("Client Auth") .name("Client Auth")

View File

@ -74,6 +74,7 @@ import org.apache.nifi.processors.standard.syslog.SyslogAttributes;
import org.apache.nifi.processors.standard.syslog.SyslogEvent; import org.apache.nifi.processors.standard.syslog.SyslogEvent;
import org.apache.nifi.processors.standard.syslog.SyslogParser; import org.apache.nifi.processors.standard.syslog.SyslogParser;
import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
@SupportsBatching @SupportsBatching
@ -175,7 +176,7 @@ public class ListenSyslog extends AbstractSyslogProcessor {
.description("The Controller Service to use in order to obtain an SSL Context. If this property is set, syslog " + .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, syslog " +
"messages will be received over a secure connection.") "messages will be received over a secure connection.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder()
.name("Client Auth") .name("Client Auth")

View File

@ -38,6 +38,7 @@ import org.apache.nifi.processor.util.listen.event.StandardEventFactory;
import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory;
import org.apache.nifi.processor.util.listen.handler.socket.SocketChannelHandlerFactory; import org.apache.nifi.processor.util.listen.handler.socket.SocketChannelHandlerFactory;
import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
@ -72,7 +73,7 @@ public class ListenTCP extends AbstractListenEventBatchingProcessor<StandardEven
.description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " + .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " +
"messages will be received over a secure connection.") "messages will be received over a secure connection.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder()

View File

@ -50,6 +50,7 @@ import org.apache.nifi.serialization.RecordSetWriterFactory;
import org.apache.nifi.serialization.WriteResult; import org.apache.nifi.serialization.WriteResult;
import org.apache.nifi.serialization.record.Record; import org.apache.nifi.serialization.record.Record;
import org.apache.nifi.serialization.record.RecordSchema; import org.apache.nifi.serialization.record.RecordSchema;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
@ -181,7 +182,7 @@ public class ListenTCPRecord extends AbstractProcessor {
.description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " + .description("The Controller Service to use in order to obtain an SSL Context. If this property is set, " +
"messages will be received over a secure connection.") "messages will be received over a secure connection.")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder() static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder()

View File

@ -17,7 +17,8 @@
package org.apache.nifi.processors.slack; package org.apache.nifi.processors.slack;
import java.util.Map; import java.util.Map;
import org.apache.nifi.ssl.StandardSSLContextService;
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.ServerConnector;
@ -78,16 +79,16 @@ public class TestServer {
private void createSecureConnector(final Map<String, String> sslProperties) { private void createSecureConnector(final Map<String, String> sslProperties) {
SslContextFactory ssl = new SslContextFactory(); SslContextFactory ssl = new SslContextFactory();
if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) { if (sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()) != null) {
ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName())); ssl.setKeyStorePath(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE.getName()));
ssl.setKeyStorePassword(sslProperties.get(StandardSSLContextService.KEYSTORE_PASSWORD.getName())); ssl.setKeyStorePassword(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_PASSWORD.getName()));
ssl.setKeyStoreType(sslProperties.get(StandardSSLContextService.KEYSTORE_TYPE.getName())); ssl.setKeyStoreType(sslProperties.get(StandardRestrictedSSLContextService.KEYSTORE_TYPE.getName()));
} }
if (sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName()) != null) { if (sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()) != null) {
ssl.setTrustStorePath(sslProperties.get(StandardSSLContextService.TRUSTSTORE.getName())); ssl.setTrustStorePath(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE.getName()));
ssl.setTrustStorePassword(sslProperties.get(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName())); ssl.setTrustStorePassword(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_PASSWORD.getName()));
ssl.setTrustStoreType(sslProperties.get(StandardSSLContextService.TRUSTSTORE_TYPE.getName())); ssl.setTrustStoreType(sslProperties.get(StandardRestrictedSSLContextService.TRUSTSTORE_TYPE.getName()));
} }
final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH); final String clientAuth = sslProperties.get(NEED_CLIENT_AUTH);

View File

@ -22,6 +22,7 @@ import org.apache.nifi.processor.ProcessSessionFactory;
import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService;
import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunner;
@ -107,7 +108,7 @@ public class TestListenTCP {
} }
@Test @Test
public void testTLSClienAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException,
UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name());
@ -140,7 +141,7 @@ public class TestListenTCP {
} }
@Test @Test
public void testTLSClienAuthRequiredAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException,
UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name());
@ -169,7 +170,7 @@ public class TestListenTCP {
} }
@Test @Test
public void testTLSClienAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException,
UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name()); runner.setProperty(ListenTCP.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name());
@ -258,7 +259,7 @@ public class TestListenTCP {
} }
private SSLContextService configureProcessorSslContextService() throws InitializationException { private SSLContextService configureProcessorSslContextService() throws InitializationException {
final SSLContextService sslContextService = new StandardSSLContextService(); final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
runner.addControllerService("ssl-context", sslContextService); runner.addControllerService("ssl-context", sslContextService);
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest");

View File

@ -27,6 +27,7 @@ import org.apache.nifi.serialization.RecordReaderFactory;
import org.apache.nifi.serialization.RecordSetWriterFactory; import org.apache.nifi.serialization.RecordSetWriterFactory;
import org.apache.nifi.serialization.record.MockRecordWriter; import org.apache.nifi.serialization.record.MockRecordWriter;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService;
import org.apache.nifi.util.MockFlowFile; import org.apache.nifi.util.MockFlowFile;
import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunner;
@ -152,7 +153,7 @@ public class TestListenTCPRecord {
} }
@Test @Test
public void testTLSClienAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException, public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, UnrecoverableKeyException,
CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name());
@ -182,7 +183,7 @@ public class TestListenTCPRecord {
} }
@Test @Test
public void testTLSClienAuthRequiredAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException,
NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException { NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException {
runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name()); runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.REQUIRED.name());
@ -200,7 +201,7 @@ public class TestListenTCPRecord {
} }
@Test @Test
public void testTLSClienAuthNoneAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException, public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, CertificateException, UnrecoverableKeyException,
NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException { NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, InterruptedException {
runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name()); runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SSLContextService.ClientAuth.NONE.name());
@ -263,7 +264,7 @@ public class TestListenTCPRecord {
} }
private SSLContextService configureProcessorSslContextService() throws InitializationException { private SSLContextService configureProcessorSslContextService() throws InitializationException {
final SSLContextService sslContextService = new StandardSSLContextService(); final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
runner.addControllerService("ssl-context", sslContextService); runner.addControllerService("ssl-context", sslContextService);
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/localhost-ts.jks");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest"); runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "localtest");

View File

@ -26,7 +26,7 @@ import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.RestrictedSSLContextService;
public abstract class DistributedCacheServer extends AbstractControllerService { public abstract class DistributedCacheServer extends AbstractControllerService {
@ -46,7 +46,7 @@ public abstract class DistributedCacheServer extends AbstractControllerService {
.description("If specified, this service will be used to create an SSL Context that will be used " .description("If specified, this service will be used to create an SSL Context that will be used "
+ "to secure communications; if not specified, communications will not be secure") + "to secure communications; if not specified, communications will not be secure")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
public static final PropertyDescriptor MAX_CACHE_ENTRIES = new PropertyDescriptor.Builder() public static final PropertyDescriptor MAX_CACHE_ENTRIES = new PropertyDescriptor.Builder()
.name("Maximum Cache Entries") .name("Maximum Cache Entries")

View File

@ -19,7 +19,7 @@ package org.apache.nifi.websocket;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerService;
import org.apache.nifi.processor.Processor; import org.apache.nifi.processor.Processor;
import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.RestrictedSSLContextService;
import java.io.IOException; import java.io.IOException;
@ -34,7 +34,7 @@ public interface WebSocketService extends ControllerService {
.description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only WSS requests; " .description("The SSL Context Service to use in order to secure the server. If specified, the server will accept only WSS requests; "
+ "otherwise, the server will accept only WS requests") + "otherwise, the server will accept only WS requests")
.required(false) .required(false)
.identifiesControllerService(SSLContextService.class) .identifiesControllerService(RestrictedSSLContextService.class)
.build(); .build();
void registerProcessor(final String endpointId, final Processor processor) throws WebSocketConfigurationException; void registerProcessor(final String endpointId, final Processor processor) throws WebSocketConfigurationException;