mirror of https://github.com/apache/nifi.git
NIFI-11673 Removed Legacy TLS Configuration Versions
This closes #7367 Signed-off-by: Nandor Soma Abonyi <nsabonyi@apache.org>
This commit is contained in:
exceptionfactory
Nandor Soma Abonyi
parent
ba6797bb94
commit
1f1c5df5a3
|
|
@ -152,7 +152,7 @@ public class HttpNotificationService extends AbstractNotificationService {
|
|||
supportedProperties.add(PROP_KEYSTORE_PASSWORD);
|
||||
supportedProperties.add(PROP_KEYSTORE_TYPE);
|
||||
supportedProperties.add(PROP_KEY_PASSWORD);
|
||||
|
||||
supportedProperties.add(SSL_ALGORITHM);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -224,7 +224,8 @@ public class HttpNotificationService extends AbstractNotificationService {
|
|||
String truststorePath = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE).getValue();
|
||||
String truststorePassword = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE_PASSWORD).getValue();
|
||||
String truststoreType = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE_TYPE).getValue();
|
||||
return new StandardTlsConfiguration(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType, TlsConfiguration.TLS_PROTOCOL);
|
||||
String protocol = context.getProperty(HttpNotificationService.SSL_ALGORITHM).getValue();
|
||||
return new StandardTlsConfiguration(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType, protocol);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ import static org.apache.nifi.bootstrap.notification.http.HttpNotificationServic
|
|||
import static org.apache.nifi.bootstrap.notification.http.HttpNotificationService.PROP_TRUSTSTORE_TYPE;
|
||||
import static org.apache.nifi.bootstrap.notification.http.HttpNotificationService.NOTIFICATION_SUBJECT_KEY;
|
||||
import static org.apache.nifi.bootstrap.notification.http.HttpNotificationService.NOTIFICATION_TYPE_KEY;
|
||||
import static org.apache.nifi.bootstrap.notification.http.HttpNotificationService.SSL_ALGORITHM;
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertNotNull;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
|
|
@ -149,6 +150,7 @@ public class HttpNotificationServiceTest {
|
|||
properties.put(PROP_TRUSTSTORE, createPropertyValue(tlsConfiguration.getTruststorePath()));
|
||||
properties.put(PROP_TRUSTSTORE_PASSWORD, createPropertyValue(tlsConfiguration.getTruststorePassword()));
|
||||
properties.put(PROP_TRUSTSTORE_TYPE, createPropertyValue(tlsConfiguration.getTruststoreType().getType()));
|
||||
properties.put(SSL_ALGORITHM, createPropertyValue(tlsConfiguration.getProtocol()));
|
||||
|
||||
final HttpNotificationService service = getHttpNotificationService(properties);
|
||||
service.notify(getNotificationContext(), NotificationType.NIFI_STARTED, SUBJECT, MESSAGE);
|
||||
|
|
|
|||
|
|
@ -16,29 +16,12 @@
|
|||
*/
|
||||
package org.apache.nifi.security.util;
|
||||
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
/**
|
||||
* This interface serves as an immutable domain object (acting as an internal DTO) for
|
||||
* the various keystore and truststore configuration settings necessary for building
|
||||
* {@link javax.net.ssl.SSLContext}s.
|
||||
*/
|
||||
public interface TlsConfiguration {
|
||||
String SSL_PROTOCOL = "SSL";
|
||||
String TLS_PROTOCOL = "TLS";
|
||||
|
||||
String TLS_1_0_PROTOCOL = "TLSv1";
|
||||
String TLS_1_1_PROTOCOL = "TLSv1.1";
|
||||
String TLS_1_2_PROTOCOL = "TLSv1.2";
|
||||
String[] LEGACY_TLS_PROTOCOL_VERSIONS = new String[]{TLS_1_0_PROTOCOL, TLS_1_1_PROTOCOL};
|
||||
|
||||
String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = TLS_1_2_PROTOCOL;
|
||||
String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3";
|
||||
String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION};
|
||||
String[] JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION, JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION};
|
||||
|
||||
|
||||
/**
|
||||
* Returns {@code true} if the provided TlsConfiguration is {@code null} or <em>empty</em>
|
||||
* (i.e. neither any of the keystore nor truststore properties are populated).
|
||||
|
|
@ -171,64 +154,4 @@ public interface TlsConfiguration {
|
|||
* @return Enabled TLS Protocols
|
||||
*/
|
||||
String[] getEnabledProtocols();
|
||||
|
||||
/**
|
||||
* Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}).
|
||||
*
|
||||
* @return the Java major version
|
||||
*/
|
||||
static int getJavaVersion() {
|
||||
String version = System.getProperty("java.version");
|
||||
return parseJavaVersion(version);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the major version parsed from the provided Java version string (e.g. {@code "1.8.0.231"} -> {@code 8}).
|
||||
*
|
||||
* @param version the Java version string
|
||||
* @return the major version as an int
|
||||
*/
|
||||
static int parseJavaVersion(String version) {
|
||||
String majorVersion;
|
||||
if (version.startsWith("1.")) {
|
||||
majorVersion = version.substring(2, 3);
|
||||
} else {
|
||||
Pattern majorVersion9PlusPattern = Pattern.compile("(\\d+).*");
|
||||
Matcher m = majorVersion9PlusPattern.matcher(version);
|
||||
if (m.find()) {
|
||||
majorVersion = m.group(1);
|
||||
} else {
|
||||
throw new IllegalArgumentException("Could not detect major version of " + version);
|
||||
}
|
||||
}
|
||||
return Integer.parseInt(majorVersion);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a {@code String[]} of supported TLS protocol versions based on the current Java platform version.
|
||||
*
|
||||
* @return the supported TLS protocol version(s)
|
||||
*/
|
||||
static String[] getCurrentSupportedTlsProtocolVersions() {
|
||||
int javaMajorVersion = getJavaVersion();
|
||||
if (javaMajorVersion < 11) {
|
||||
return JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS;
|
||||
} else {
|
||||
return JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the highest supported TLS protocol version based on the current Java platform version.
|
||||
*
|
||||
* @return the TLS protocol (e.g. {@code "TLSv1.2"})
|
||||
*/
|
||||
static String getHighestCurrentSupportedTlsProtocolVersion() {
|
||||
int javaMajorVersion = getJavaVersion();
|
||||
if (javaMajorVersion < 11) {
|
||||
return JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION;
|
||||
} else {
|
||||
return JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,64 +0,0 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.nifi.security.util;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.condition.EnabledForJreRange;
|
||||
import org.junit.jupiter.api.condition.JRE;
|
||||
import org.junit.jupiter.params.ParameterizedTest;
|
||||
import org.junit.jupiter.params.provider.ValueSource;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
|
||||
public class TlsConfigurationTest {
|
||||
|
||||
@ParameterizedTest
|
||||
@ValueSource(strings = {"1.5.0", "1.6.0", "1.7.0.123", "1.8.0.231", "9.0.1", "10.1.2", "11.2.3", "12.3.456"})
|
||||
public void testParseJavaVersion(String version) {
|
||||
int javaVersion = TlsConfiguration.parseJavaVersion(version);
|
||||
|
||||
assertTrue(javaVersion >= 5 && javaVersion <= 12);
|
||||
}
|
||||
|
||||
@Test
|
||||
@EnabledForJreRange(min = JRE.JAVA_11)
|
||||
public void testGeSupportedTlsProtocolVersionsForJava11AndHigher() {
|
||||
assertArrayEquals(new String[]{"TLSv1.3", "TLSv1.2"},
|
||||
TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
}
|
||||
|
||||
@Test
|
||||
@EnabledForJreRange(max = JRE.JAVA_10)
|
||||
public void testGeSupportedTlsProtocolVersionsForJava10AndLower() {
|
||||
assertArrayEquals(new String[]{"TLSv1.2"},
|
||||
TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
}
|
||||
|
||||
@Test
|
||||
@EnabledForJreRange(min = JRE.JAVA_11)
|
||||
public void testGetHighestCurrentSupportedTlsProtocolVersionForJava11AndHigher() {
|
||||
assertEquals("TLSv1.3", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
}
|
||||
|
||||
@Test
|
||||
@EnabledForJreRange(max = JRE.JAVA_10)
|
||||
public void testGetHighestCurrentSupportedTlsProtocolVersionForJava10AndLower() {
|
||||
assertEquals("TLSv1.2", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
}
|
||||
}
|
||||
|
|
@ -22,7 +22,6 @@ import org.apache.nifi.util.StringUtils;
|
|||
import java.io.File;
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import java.util.Properties;
|
||||
|
|
@ -35,7 +34,10 @@ import java.net.URL;
|
|||
* building {@link javax.net.ssl.SSLContext}s.
|
||||
*/
|
||||
public class StandardTlsConfiguration implements TlsConfiguration {
|
||||
private static final String TLS_PROTOCOL_VERSION = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
|
||||
protected static final String SSL_PROTOCOL = "SSL";
|
||||
protected static final String TLS_PROTOCOL = "TLS";
|
||||
|
||||
private static final String TLS_PROTOCOL_VERSION = TlsPlatform.getLatestProtocol();
|
||||
private static final String MASKED_PASSWORD_LOG = "********";
|
||||
private static final String NULL_LOG = "null";
|
||||
|
||||
|
|
@ -419,10 +421,9 @@ public class StandardTlsConfiguration implements TlsConfiguration {
|
|||
|
||||
final String configuredProtocol = getProtocol();
|
||||
if (TLS_PROTOCOL.equals(configuredProtocol)) {
|
||||
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
|
||||
enabledProtocols.addAll(TlsPlatform.getPreferredProtocols());
|
||||
} else if (SSL_PROTOCOL.equals(configuredProtocol)) {
|
||||
enabledProtocols.addAll(Arrays.asList(LEGACY_TLS_PROTOCOL_VERSIONS));
|
||||
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
|
||||
enabledProtocols.addAll(TlsPlatform.getSupportedProtocols());
|
||||
} else if (configuredProtocol != null) {
|
||||
enabledProtocols.add(configuredProtocol);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,8 +85,7 @@ public class KeyStoreUtilsTest {
|
|||
keyStoreType,
|
||||
trustStoreFile.getAbsolutePath(),
|
||||
password,
|
||||
keyStoreType,
|
||||
TlsConfiguration.TLS_PROTOCOL
|
||||
keyStoreType
|
||||
);
|
||||
final TlsConfiguration configuration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(requested, 1, new String[] { HOSTNAME });
|
||||
final File keystoreFile = new File(configuration.getKeystorePath());
|
||||
|
|
|
|||
|
|
@ -20,10 +20,7 @@ import org.apache.nifi.util.NiFiProperties;
|
|||
import org.junit.jupiter.api.BeforeAll;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
|
||||
|
|
@ -49,7 +46,7 @@ public class StandardTlsConfigurationTest {
|
|||
|
||||
private static final String TRUST_STORE_TYPE = KeystoreType.JKS.getType();
|
||||
|
||||
private static final String PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
|
||||
private static final String PROTOCOL = TlsPlatform.getLatestProtocol();
|
||||
|
||||
private static TlsConfiguration tlsConfiguration;
|
||||
|
||||
|
|
@ -235,11 +232,11 @@ public class StandardTlsConfigurationTest {
|
|||
TRUST_STORE_PATH,
|
||||
TRUST_STORE_PASSWORD,
|
||||
TRUST_STORE_TYPE,
|
||||
TlsConfiguration.TLS_PROTOCOL
|
||||
StandardTlsConfiguration.TLS_PROTOCOL
|
||||
);
|
||||
|
||||
final String[] enabledProtocols = configuration.getEnabledProtocols();
|
||||
assertArrayEquals(TlsConfiguration.getCurrentSupportedTlsProtocolVersions(), enabledProtocols);
|
||||
assertArrayEquals(TlsPlatform.getPreferredProtocols().toArray(new String[0]), enabledProtocols);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -252,14 +249,11 @@ public class StandardTlsConfigurationTest {
|
|||
TRUST_STORE_PATH,
|
||||
TRUST_STORE_PASSWORD,
|
||||
TRUST_STORE_TYPE,
|
||||
TlsConfiguration.SSL_PROTOCOL
|
||||
StandardTlsConfiguration.SSL_PROTOCOL
|
||||
);
|
||||
|
||||
final String[] enabledProtocols = configuration.getEnabledProtocols();
|
||||
|
||||
final List<String> expectedProtocols = new ArrayList<>();
|
||||
expectedProtocols.addAll(Arrays.asList(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS));
|
||||
expectedProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
|
||||
assertArrayEquals(expectedProtocols.toArray(), enabledProtocols);
|
||||
assertArrayEquals(TlsPlatform.getSupportedProtocols().toArray(new String[0]), enabledProtocols);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@ import javax.net.ssl.SSLContext;
|
|||
import javax.net.ssl.SSLServerSocket;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import org.apache.nifi.logging.NiFiLog;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsException;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
|
@ -65,8 +65,8 @@ public final class SocketUtils {
|
|||
*/
|
||||
Socket tempSocket = sslContext.getSocketFactory().createSocket(address.getHostName(), address.getPort());
|
||||
final SSLSocket sslSocket = (SSLSocket) tempSocket;
|
||||
// Enforce custom protocols on socket
|
||||
sslSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
// Set Preferred TLS Protocol Versions
|
||||
sslSocket.setEnabledProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
|
||||
socket = sslSocket;
|
||||
}
|
||||
|
||||
|
|
@ -128,8 +128,8 @@ public final class SocketUtils {
|
|||
serverSocket = sslContext.getServerSocketFactory().createServerSocket(port);
|
||||
final SSLServerSocket sslServerSocket = (SSLServerSocket) serverSocket;
|
||||
sslServerSocket.setNeedClientAuth(config.getNeedClientAuth());
|
||||
// Enforce custom protocols on socket
|
||||
sslServerSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
// Set Preferred TLS Protocol Versions
|
||||
sslServerSocket.setEnabledProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
|
||||
}
|
||||
|
||||
if (config.getSocketTimeout() != null) {
|
||||
|
|
@ -147,29 +147,6 @@ public final class SocketUtils {
|
|||
return serverSocket;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a {@link SSLServerSocket} for the given port and configuration.
|
||||
*
|
||||
* @param port the port for the socket
|
||||
* @param serverSocketConfiguration the {@link ServerSocketConfiguration}
|
||||
* @return the SSL server socket
|
||||
* @throws TlsException if there was a problem creating the socket
|
||||
*/
|
||||
public static SSLServerSocket createSSLServerSocket(final int port, final ServerSocketConfiguration serverSocketConfiguration) throws TlsException {
|
||||
try {
|
||||
ServerSocket serverSocket = createServerSocket(port, serverSocketConfiguration);
|
||||
if (serverSocket instanceof SSLServerSocket) {
|
||||
return ((SSLServerSocket) serverSocket);
|
||||
} else {
|
||||
throw new TlsException("Created server socket does not support SSL/TLS");
|
||||
}
|
||||
} catch (IOException e) {
|
||||
logger.error("Encountered an error creating SSLServerSocket: {}", e.getLocalizedMessage());
|
||||
throw new TlsException("Error creating SSLServerSocket", e);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public static void closeQuietly(final Socket socket) {
|
||||
if (socket == null) {
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -1,84 +0,0 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.nifi.io.socket;
|
||||
|
||||
import org.apache.commons.lang3.ArrayUtils;
|
||||
import org.apache.nifi.security.util.KeystoreType;
|
||||
import org.apache.nifi.security.util.StandardTlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsException;
|
||||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.junit.jupiter.api.BeforeAll;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import javax.net.ssl.SSLServerSocket;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||
|
||||
public class SocketUtilsTest {
|
||||
private static final String KEYSTORE_PATH = "src/test/resources/TlsConfigurationKeystore.jks";
|
||||
private static final String KEYSTORE_PASSWORD = "keystorepassword";
|
||||
private static final String KEY_PASSWORD = "keypassword";
|
||||
private static final KeystoreType KEYSTORE_TYPE = KeystoreType.JKS;
|
||||
private static final String TRUSTSTORE_PATH = "src/test/resources/TlsConfigurationTruststore.jks";
|
||||
private static final String TRUSTSTORE_PASSWORD = "truststorepassword";
|
||||
private static final KeystoreType TRUSTSTORE_TYPE = KeystoreType.JKS;
|
||||
private static NiFiProperties mockNiFiProperties;
|
||||
|
||||
@BeforeAll
|
||||
public static void setUpOnce() throws Exception {
|
||||
final Map<String, String> defaultProps = new HashMap<>();
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_KEYSTORE, KEYSTORE_PATH);
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_KEYSTORE_PASSWD, KEYSTORE_PASSWORD);
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_KEY_PASSWD, KEY_PASSWORD);
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_KEYSTORE_TYPE, KEYSTORE_TYPE.getType());
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_TRUSTSTORE, TRUSTSTORE_PATH);
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, TRUSTSTORE_PASSWORD);
|
||||
defaultProps.put(org.apache.nifi.util.NiFiProperties.SECURITY_TRUSTSTORE_TYPE, TRUSTSTORE_TYPE.getType());
|
||||
mockNiFiProperties = NiFiProperties.createBasicNiFiProperties(null, defaultProps);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateSSLServerSocketShouldRestrictTlsProtocols() throws TlsException, IOException {
|
||||
ServerSocketConfiguration mockServerSocketConfiguration = new ServerSocketConfiguration();
|
||||
mockServerSocketConfiguration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(mockNiFiProperties));
|
||||
|
||||
try (SSLServerSocket sslServerSocket = SocketUtils.createSSLServerSocket(0, mockServerSocketConfiguration)) {
|
||||
String[] enabledProtocols = sslServerSocket.getEnabledProtocols();
|
||||
assertArrayEquals(TlsConfiguration.getCurrentSupportedTlsProtocolVersions(), enabledProtocols);
|
||||
assertFalse(ArrayUtils.contains(enabledProtocols, "TLSv1"));
|
||||
assertFalse(ArrayUtils.contains(enabledProtocols, "TLSv1.1"));
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCreateServerSocketShouldRestrictTlsProtocols() throws TlsException, IOException {
|
||||
ServerSocketConfiguration mockServerSocketConfiguration = new ServerSocketConfiguration();
|
||||
mockServerSocketConfiguration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(mockNiFiProperties));
|
||||
|
||||
try (SSLServerSocket sslServerSocket = (SSLServerSocket)SocketUtils.createServerSocket(0, mockServerSocketConfiguration)) {
|
||||
String[] enabledProtocols = sslServerSocket.getEnabledProtocols();
|
||||
assertArrayEquals(TlsConfiguration.getCurrentSupportedTlsProtocolVersions(), enabledProtocols);
|
||||
assertFalse(ArrayUtils.contains(enabledProtocols, "TLSv1"));
|
||||
assertFalse(ArrayUtils.contains(enabledProtocols, "TLSv1.1"));
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
|
|
@ -41,7 +41,6 @@ import java.net.Socket;
|
|||
import java.security.GeneralSecurityException;
|
||||
import java.util.Properties;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
|
@ -66,8 +65,7 @@ public class TestListenSMTP {
|
|||
testTlsConfiguration.getKeystoreType(),
|
||||
testTlsConfiguration.getTruststorePath(),
|
||||
testTlsConfiguration.getTruststorePassword(),
|
||||
testTlsConfiguration.getTruststoreType(),
|
||||
TlsConfiguration.TLS_1_2_PROTOCOL
|
||||
testTlsConfiguration.getTruststoreType()
|
||||
);
|
||||
|
||||
final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration);
|
||||
|
|
@ -119,28 +117,6 @@ public class TestListenSMTP {
|
|||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, MESSAGES);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testListenSMTPwithTLSLegacyProtocolException() throws Exception {
|
||||
final TestRunner runner = newTestRunner();
|
||||
|
||||
configureSslContextService(runner);
|
||||
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
|
||||
runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
|
||||
runner.assertValid();
|
||||
|
||||
runner.run(1, false);
|
||||
|
||||
final int port = ((ListenSMTP) runner.getProcessor()).getListeningPort();
|
||||
assertPortListening(port);
|
||||
|
||||
final Session session = getSessionTls(port, TlsConfiguration.TLS_1_0_PROTOCOL);
|
||||
final MessagingException exception = assertThrows(MessagingException.class, () -> sendMessage(session, 0));
|
||||
assertEquals(exception.getMessage(), "Could not convert socket to TLS");
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testListenSMTPwithTooLargeMessage() throws InterruptedException {
|
||||
final TestRunner runner = newTestRunner();
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ import org.apache.commons.io.IOUtils;
|
|||
import org.apache.nifi.events.EventReporter;
|
||||
import org.apache.nifi.reporting.Severity;
|
||||
import org.apache.nifi.security.util.CertificateUtils;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
|
@ -119,8 +119,8 @@ public class ConnectionLoadBalanceServer {
|
|||
} else {
|
||||
final SSLServerSocket serverSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket(port, 50, inetAddress);
|
||||
serverSocket.setNeedClientAuth(true);
|
||||
// Enforce custom protocols on socket
|
||||
serverSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
// Set Preferred TLS Protocol Versions
|
||||
serverSocket.setEnabledProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
|
||||
return serverSocket;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ import org.apache.nifi.remote.io.socket.SocketCommunicationsSession;
|
|||
import org.apache.nifi.remote.protocol.CommunicationsSession;
|
||||
import org.apache.nifi.remote.protocol.RequestType;
|
||||
import org.apache.nifi.remote.protocol.ServerProtocol;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -381,8 +381,8 @@ public class SocketRemoteSiteListener implements RemoteSiteListener {
|
|||
if (sslContext != null) {
|
||||
final SSLServerSocket serverSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket(socketPort);
|
||||
serverSocket.setNeedClientAuth(true);
|
||||
// Enforce custom protocols on socket
|
||||
serverSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
|
||||
// Set Preferred TLS Protocol Versions
|
||||
serverSocket.setEnabledProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
|
||||
return serverSocket;
|
||||
} else {
|
||||
return new ServerSocket(socketPort);
|
||||
|
|
|
|||
|
|
@ -44,8 +44,7 @@ public class SslContextUtils {
|
|||
TLS_CONFIGURATION.getKeystoreType().getType(),
|
||||
TLS_CONFIGURATION.getTruststorePath(),
|
||||
TLS_CONFIGURATION.getTruststorePassword(),
|
||||
TLS_CONFIGURATION.getTruststoreType().getType(),
|
||||
TlsConfiguration.TLS_1_2_PROTOCOL
|
||||
TLS_CONFIGURATION.getTruststoreType().getType()
|
||||
);
|
||||
|
||||
TRUSTSTORE_TLS_CONFIGURATION = new StandardTlsConfiguration(
|
||||
|
|
@ -55,8 +54,7 @@ public class SslContextUtils {
|
|||
null,
|
||||
TLS_CONFIGURATION.getTruststorePath(),
|
||||
TLS_CONFIGURATION.getTruststorePassword(),
|
||||
TLS_CONFIGURATION.getTruststoreType().getType(),
|
||||
TlsConfiguration.TLS_1_2_PROTOCOL
|
||||
TLS_CONFIGURATION.getTruststoreType().getType()
|
||||
);
|
||||
} catch (final Exception e) {
|
||||
throw new IllegalStateException("Failed to create TLS configuration for testing", e);
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ import org.apache.nifi.annotation.documentation.Tags;
|
|||
import org.apache.nifi.components.AllowableValue;
|
||||
import org.apache.nifi.components.PropertyDescriptor;
|
||||
import org.apache.nifi.processor.util.StandardValidators;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
|
||||
/**
|
||||
|
|
@ -43,7 +42,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi
|
|||
public static final PropertyDescriptor RESTRICTED_SSL_ALGORITHM = new PropertyDescriptor.Builder()
|
||||
.name("SSL Protocol")
|
||||
.displayName("TLS Protocol")
|
||||
.defaultValue(TlsConfiguration.TLS_PROTOCOL)
|
||||
.defaultValue(TLS_PROTOCOL)
|
||||
.required(false)
|
||||
.allowableValues(getRestrictedProtocolAllowableValues())
|
||||
.description("TLS Protocol Version for encrypted connections. Supported versions depend on the specific version of Java used.")
|
||||
|
|
@ -79,7 +78,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi
|
|||
private static AllowableValue[] getRestrictedProtocolAllowableValues() {
|
||||
final List<AllowableValue> allowableValues = new ArrayList<>();
|
||||
|
||||
allowableValues.add(new AllowableValue(TlsConfiguration.TLS_PROTOCOL, TlsConfiguration.TLS_PROTOCOL, "Negotiate latest protocol version based on platform supported versions"));
|
||||
allowableValues.add(new AllowableValue(TLS_PROTOCOL, TLS_PROTOCOL, "Negotiate latest protocol version based on platform supported versions"));
|
||||
|
||||
for (final String preferredProtocol : TlsPlatform.getPreferredProtocols()) {
|
||||
final String description = String.format("Require %s protocol version", preferredProtocol);
|
||||
|
|
|
|||
|
|
@ -63,6 +63,10 @@ import java.util.Map;
|
|||
+ "allows a specific set of SSL protocols to be chosen.")
|
||||
public class StandardSSLContextService extends AbstractControllerService implements SSLContextService {
|
||||
|
||||
public static final String TLS_PROTOCOL = "TLS";
|
||||
|
||||
public static final String SSL_PROTOCOL = "SSL";
|
||||
|
||||
public static final PropertyDescriptor TRUSTSTORE = new PropertyDescriptor.Builder()
|
||||
.name("Truststore Filename")
|
||||
.description("The fully-qualified filename of the Truststore")
|
||||
|
|
@ -120,7 +124,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
public static final PropertyDescriptor SSL_ALGORITHM = new PropertyDescriptor.Builder()
|
||||
.name("SSL Protocol")
|
||||
.displayName("TLS Protocol")
|
||||
.defaultValue(TlsConfiguration.TLS_PROTOCOL)
|
||||
.defaultValue(TLS_PROTOCOL)
|
||||
.required(false)
|
||||
.allowableValues(getProtocolAllowableValues())
|
||||
.description("SSL or TLS Protocol Version for encrypted connections. Supported versions include insecure legacy options and depend on the specific version of Java used.")
|
||||
|
|
@ -129,6 +133,7 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
.build();
|
||||
|
||||
private static final List<PropertyDescriptor> properties;
|
||||
|
||||
protected ConfigurationContext configContext;
|
||||
private boolean isValidated;
|
||||
|
||||
|
|
@ -562,8 +567,8 @@ public class StandardSSLContextService extends AbstractControllerService impleme
|
|||
private static AllowableValue[] getProtocolAllowableValues() {
|
||||
final List<AllowableValue> allowableValues = new ArrayList<>();
|
||||
|
||||
allowableValues.add(new AllowableValue(TlsConfiguration.SSL_PROTOCOL, TlsConfiguration.SSL_PROTOCOL, "Negotiate latest SSL or TLS protocol version based on platform supported versions"));
|
||||
allowableValues.add(new AllowableValue(TlsConfiguration.TLS_PROTOCOL, TlsConfiguration.TLS_PROTOCOL, "Negotiate latest TLS protocol version based on platform supported versions"));
|
||||
allowableValues.add(new AllowableValue(SSL_PROTOCOL, SSL_PROTOCOL, "Negotiate latest SSL or TLS protocol version based on platform supported versions"));
|
||||
allowableValues.add(new AllowableValue(TLS_PROTOCOL, TLS_PROTOCOL, "Negotiate latest TLS protocol version based on platform supported versions"));
|
||||
|
||||
for (final String supportedProtocol : TlsPlatform.getSupportedProtocols()) {
|
||||
final String description = String.format("Require %s protocol version", supportedProtocol);
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ package org.apache.nifi.stateless.config;
|
|||
import org.apache.nifi.security.util.SslContextFactory;
|
||||
import org.apache.nifi.security.util.StandardTlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
|
||||
|
|
@ -49,6 +50,6 @@ public class SslConfigurationUtil {
|
|||
sslContextDefinition.getTruststoreFile(),
|
||||
sslContextDefinition.getTruststorePass(),
|
||||
sslContextDefinition.getTruststoreType(),
|
||||
TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
TlsPlatform.getLatestProtocol());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ import javax.net.ssl.SSLContext;
|
|||
import org.apache.nifi.registry.security.util.KeystoreType;
|
||||
import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
|
||||
import org.apache.nifi.security.ssl.StandardSslContextBuilder;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
|
||||
/**
|
||||
* Configuration for a NiFiClient.
|
||||
|
|
@ -58,7 +58,7 @@ public class NiFiClientConfig {
|
|||
this.truststoreFilename = builder.truststoreFilename;
|
||||
this.truststorePass = builder.truststorePass;
|
||||
this.truststoreType = builder.truststoreType;
|
||||
this.protocol = builder.protocol == null ? TlsConfiguration.TLS_PROTOCOL : builder.protocol;
|
||||
this.protocol = builder.protocol == null ? TlsPlatform.getLatestProtocol() : builder.protocol;
|
||||
this.hostnameVerifier = builder.hostnameVerifier;
|
||||
this.readTimeout = builder.readTimeout;
|
||||
this.connectTimeout = builder.connectTimeout;
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ import java.io.StringReader;
|
|||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.KeyPair;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
|
@ -39,7 +38,7 @@ import org.apache.http.impl.client.CloseableHttpClient;
|
|||
import org.apache.http.impl.client.HttpClientBuilder;
|
||||
import org.apache.http.ssl.SSLContextBuilder;
|
||||
import org.apache.nifi.security.util.CertificateUtils;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
|
||||
import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest;
|
||||
import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse;
|
||||
|
|
@ -65,12 +64,12 @@ public class TlsCertificateSigningRequestPerformer {
|
|||
private final ObjectMapper objectMapper;
|
||||
private final String signingAlgorithm;
|
||||
|
||||
public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException {
|
||||
public TlsCertificateSigningRequestPerformer(TlsClientConfig tlsClientConfig) {
|
||||
this(HttpClientBuilder::create, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getDomainAlternativeNames(),
|
||||
tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.getSigningAlgorithm());
|
||||
}
|
||||
|
||||
protected TlsCertificateSigningRequestPerformer(Supplier<HttpClientBuilder> httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) throws NoSuchAlgorithmException {
|
||||
protected TlsCertificateSigningRequestPerformer(Supplier<HttpClientBuilder> httpClientBuilderSupplier, TlsClientConfig tlsClientConfig) {
|
||||
this(httpClientBuilderSupplier, tlsClientConfig.getCaHostname(), tlsClientConfig.getDn(), tlsClientConfig.getDomainAlternativeNames(),
|
||||
tlsClientConfig.getToken(), tlsClientConfig.getPort(), tlsClientConfig.getSigningAlgorithm());
|
||||
}
|
||||
|
|
@ -100,7 +99,7 @@ public class TlsCertificateSigningRequestPerformer {
|
|||
|
||||
HttpClientBuilder httpClientBuilder = httpClientBuilderSupplier.get();
|
||||
SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
|
||||
sslContextBuilder.useProtocol(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
sslContextBuilder.setProtocol(TlsPlatform.getLatestProtocol());
|
||||
|
||||
// We will be validating that we are talking to the correct host once we get the response's hmac of the token and public key of the ca
|
||||
sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import java.security.KeyPair;
|
|||
import java.security.KeyStore;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
|
||||
import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
|
||||
import org.apache.nifi.toolkit.tls.manager.writer.JsonConfigurationWriter;
|
||||
|
|
@ -63,7 +63,7 @@ public class TlsCertificateAuthorityService {
|
|||
Server server = new Server();
|
||||
|
||||
SslContextFactory sslContextFactory = new SslContextFactory.Server();
|
||||
sslContextFactory.setIncludeProtocols(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
sslContextFactory.setIncludeProtocols(TlsPlatform.getLatestProtocol());
|
||||
sslContextFactory.setKeyStore(keyStore);
|
||||
sslContextFactory.setKeyManagerPassword(keyPassword);
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import org.apache.commons.cli.CommandLine;
|
|||
import org.apache.nifi.security.util.SslContextFactory;
|
||||
import org.apache.nifi.security.util.StandardTlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.security.util.TlsPlatform;
|
||||
import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
|
||||
import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
|
||||
import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
|
||||
|
|
@ -45,7 +46,7 @@ public class TlsToolkitGetStatusCommandLine extends BaseCommandLine {
|
|||
public static final String TRUSTSTORE_PASSWORD_ARG = "trustStorePassword";
|
||||
public static final String PROTOCOL_ARG = "protocol";
|
||||
|
||||
public static final String DEFAULT_PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
|
||||
public static final String DEFAULT_PROTOCOL = TlsPlatform.getLatestProtocol();
|
||||
public static final String DEFAULT_KEYSTORE_TYPE = "JKS";
|
||||
|
||||
public static final String DESCRIPTION = "Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.";
|
||||
|
|
|
|||
Loading…
Reference in New Issue