Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-7913 Added getEnabledProtocols() to TlsConfiguration and updated ListenSMTP to set enabled protocols on SSL Sockets 

NIFI-7913 Changed order of supported protocols to match existing comments in SSLContextService

This closes #4599

Signed-off-by: Nathan Gough <thenatog@gmail.com>
This commit is contained in:
exceptionfactory 2020-10-12 18:00:35 -04:00 committed by Nathan Gough
parent 8e4948322e
commit 7bff64b3cf
7 changed files with 193 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java
View File

@ -25,6 +25,13 @@ import java.util.regex.Pattern;
* {@link javax.net.ssl.SSLContext}s.
*/
public interface TlsConfiguration {
String SSL_PROTOCOL = "SSL";
String TLS_PROTOCOL = "TLS";
String TLS_1_0_PROTOCOL = "TLSv1";
String TLS_1_1_PROTOCOL = "TLSv1.1";
String[] LEGACY_TLS_PROTOCOL_VERSIONS = new String[]{TLS_1_0_PROTOCOL, TLS_1_1_PROTOCOL};
String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.2";
String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3";
String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION};
@ -157,6 +164,13 @@ public interface TlsConfiguration {
*/
String[] getTruststorePropertiesForLogging();
/**
* Get Enabled TLS Protocol Versions
*
* @return Enabled TLS Protocols
*/
String[] getEnabledProtocols();
/**
* Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}).
*

26
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java
View File

@ -18,6 +18,9 @@ package org.apache.nifi.security.util;
import java.io.File;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
@ -432,6 +435,29 @@ public class StandardTlsConfiguration implements TlsConfiguration {
return new String[]{getTruststorePath(), getTruststorePasswordForLogging(), getKeystoreType() != null ? getTruststoreType().getType() : NULL_LOG};
}
/**
* Get Enabled TLS Protocols translates SSL to legacy protocols and TLS to current protocols or returns configured protocol
*
* @return Enabled TLS Protocols
*/
@Override
public String[] getEnabledProtocols() {
final List<String> enabledProtocols = new ArrayList<>();
final String configuredProtocol = getProtocol();
if (TLS_PROTOCOL.equals(configuredProtocol)) {
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
} else if (SSL_PROTOCOL.equals(configuredProtocol)) {
enabledProtocols.addAll(Arrays.asList(LEGACY_TLS_PROTOCOL_VERSIONS));
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
} else if (configuredProtocol != null) {
enabledProtocols.add(configuredProtocol);
}
return enabledProtocols.toArray(new String[enabledProtocols.size()]);
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder("[TlsConfiguration]");

39
nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy
View File

@ -209,4 +209,43 @@ class StandardTlsConfigurationTest extends GroovyTestCase {
assert !wrongPasswordIsValid
assert !invalidIsValid
}
@Test
void testShouldReturnLegacyAndCurrentEnabledProtocolsForSsl() {
TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.SSL_PROTOCOL)
String[] enabledProtocols = configuration.enabledProtocols
assert enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
}
@Test
void testShouldReturnCurrentEnabledProtocolsForTls() {
TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.TLS_PROTOCOL)
String[] enabledProtocols = configuration.enabledProtocols
assert !enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
}
@Test
void testShouldReturnConfiguredEnabledProtocols() {
String currentProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()
TlsConfiguration configuration = getTlsConfiguration(currentProtocol)
String[] enabledProtocols = configuration.enabledProtocols
assert enabledProtocols == [currentProtocol]
}
@Test
void testShouldReturnEmptyEnabledProtocolsForNullProtocol() {
TlsConfiguration configuration = getTlsConfiguration(null)
String[] enabledProtocols = configuration.enabledProtocols
assert enabledProtocols.toList().isEmpty()
}
TlsConfiguration getTlsConfiguration(String protocol) {
new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, protocol)
}
}

4
nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java
View File

@ -50,6 +50,7 @@ import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.email.smtp.SmtpConsumer;
import org.apache.nifi.security.util.ClientAuth;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.ssl.RestrictedSSLContextService;
import org.apache.nifi.ssl.SSLContextService;
import org.springframework.util.StringUtils;
@ -252,6 +253,9 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor {
SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth));
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true));
final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration();
sslSocket.setEnabledProtocols(tlsConfiguration.getEnabledProtocols());
sslSocket.setUseClientMode(false);
if (ClientAuth.REQUIRED.toString().equals(clientAuth)) {

202
nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java
View File

@ -16,6 +16,8 @@
*/
package org.apache.nifi.processors.email;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
import java.util.Properties;
@ -26,7 +28,9 @@ import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import org.apache.nifi.remote.io.socket.NetworkUtils;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.util.ClientAuth;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
import org.apache.nifi.ssl.StandardSSLContextService;
@ -35,38 +39,20 @@ import org.apache.nifi.util.TestRunners;
import org.junit.Test;
public class TestListenSMTP {
private static final String SSL_SERVICE_IDENTIFIER = "ssl-context";
@Test
public void testListenSMTP() throws Exception {
final ListenSMTP processor = new ListenSMTP();
final TestRunner runner = TestRunners.newTestRunner(processor);
final int port = NetworkUtils.availablePort();
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
final TestRunner runner = newTestRunner(port);
runner.run(1, false);
assertPortListening(port);
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
final Properties config = new Properties();
config.put("mail.smtp.host", "localhost");
config.put("mail.smtp.port", String.valueOf(port));
config.put("mail.smtp.connectiontimeout", "5000");
config.put("mail.smtp.timeout", "5000");
config.put("mail.smtp.writetimeout", "5000");
final Session session = Session.getInstance(config);
session.setDebug(true);
final Session session = getSession(port);
final int numMessages = 5;
for (int i = 0; i < numMessages; i++) {
final Message email = new MimeMessage(session);
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
email.setSubject("This is a test");
email.setText("MSG-" + i);
Transport.send(email);
sendMessage(session, i);
}
runner.shutdown();
@ -74,34 +60,92 @@ public class TestListenSMTP {
}
@Test
public void testListenSMTPwithTLS() throws Exception {
final ListenSMTP processor = new ListenSMTP();
final TestRunner runner = TestRunners.newTestRunner(processor);
public void testListenSMTPwithTLSCurrentVersion() throws Exception {
final int port = NetworkUtils.availablePort();
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
final TestRunner runner = newTestRunner(port);
// Setup the SSL Context
final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
runner.addControllerService("ssl-context", sslContextService);
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
runner.enableControllerService(sslContextService);
// and add the SSL context to the runner
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, "ssl-context");
final String tlsProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
configureSslContextService(runner, tlsProtocol);
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
runner.assertValid();
runner.run(1, false);
assertPortListening(port);
final Session session = getSessionTls(port, tlsProtocol);
final int numMessages = 5;
for (int i = 0; i < numMessages; i++) {
sendMessage(session, i);
}
runner.shutdown();
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
}
@Test
public void testListenSMTPwithTLSLegacyProtocolException() throws Exception {
final int port = NetworkUtils.availablePort();
final TestRunner runner = newTestRunner(port);
configureSslContextService(runner, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
runner.assertValid();
runner.run(1, false);
assertPortListening(port);
final Session session = getSessionTls(port, TlsConfiguration.TLS_1_0_PROTOCOL);
final MessagingException exception = assertThrows(MessagingException.class, () -> sendMessage(session, 0));
assertEquals(exception.getMessage(), "Could not convert socket to TLS");
runner.shutdown();
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
}
@Test
public void testListenSMTPwithTooLargeMessage() throws Exception {
final int port = NetworkUtils.availablePort();
final TestRunner runner = newTestRunner(port);
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
runner.run(1, false);
assertPortListening(port);
final Session session = getSession(port);
assertThrows(MessagingException.class, () -> sendMessage(session, 0));
runner.shutdown();
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
}
private TestRunner newTestRunner(final int port) {
final ListenSMTP processor = new ListenSMTP();
final TestRunner runner = TestRunners.newTestRunner(processor);
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
return runner;
}
private void assertPortListening(final int port) {
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
}
private Session getSession(final int port) {
final Properties config = new Properties();
config.put("mail.smtp.host", "localhost");
config.put("mail.smtp.port", String.valueOf(port));
config.put("mail.smtp.connectiontimeout", "5000");
config.put("mail.smtp.timeout", "5000");
config.put("mail.smtp.writetimeout", "5000");
final Session session = Session.getInstance(config);
session.setDebug(true);
return session;
}
private Session getSessionTls(final int port, final String tlsProtocol) {
final Properties config = new Properties();
config.put("mail.smtp.host", "localhost");
config.put("mail.smtp.port", String.valueOf(port));
@ -112,64 +156,32 @@ public class TestListenSMTP {
config.put("mail.smtp.connectiontimeout", "5000");
config.put("mail.smtp.timeout", "5000");
config.put("mail.smtp.writetimeout", "5000");
config.put("mail.smtp.ssl.protocols", tlsProtocol);
final Session session = Session.getInstance(config);
session.setDebug(true);
final int numMessages = 5;
for (int i = 0; i < numMessages; i++) {
final Message email = new MimeMessage(session);
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
email.setSubject("This is a test");
email.setText("MSG-" + i);
Transport.send(email);
}
runner.shutdown();
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
return session;
}
@Test(expected = MessagingException.class)
public void testListenSMTPwithTooLargeMessage() throws Exception {
final ListenSMTP processor = new ListenSMTP();
final TestRunner runner = TestRunners.newTestRunner(processor);
final int port = NetworkUtils.availablePort();
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
runner.run(1, false);
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
final Properties config = new Properties();
config.put("mail.smtp.host", "localhost");
config.put("mail.smtp.port", String.valueOf(port));
config.put("mail.smtp.connectiontimeout", "5000");
config.put("mail.smtp.timeout", "5000");
config.put("mail.smtp.writetimeout", "5000");
final Session session = Session.getInstance(config);
session.setDebug(true);
MessagingException messagingException = null;
try {
final Message email = new MimeMessage(session);
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
email.setSubject("This is a test");
email.setText("MSG-0");
Transport.send(email);
} catch (final MessagingException e) {
messagingException = e;
}
runner.shutdown();
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
if (messagingException != null) throw messagingException;
private void sendMessage(final Session session, final int i) throws MessagingException {
final Message email = new MimeMessage(session);
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
email.setSubject("This is a test");
email.setText("MSG-" + i);
Transport.send(email);
}
private void configureSslContextService(final TestRunner runner, final String tlsProtocol) throws InitializationException {
final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
runner.addControllerService(SSL_SERVICE_IDENTIFIER, sslContextService);
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, tlsProtocol);
runner.enableControllerService(sslContextService);
}
}

2
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
View File

@ -87,7 +87,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi
static AllowableValue[] buildAlgorithmAllowableValues() {
final Set<String> supportedProtocols = new HashSet<>();
supportedProtocols.add("TLS");
supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL);
/*
* Add specifically supported TLS versions

4
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
View File

@ -109,10 +109,10 @@ public interface SSLContextService extends ControllerService {
* Prepopulate protocols with generic instance types commonly used
* see: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
*/
supportedProtocols.add("TLS");
supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL);
// This is still available for outgoing connections to legacy services, but can be disabled with jdk.tls.disabledAlgorithms
supportedProtocols.add("SSL");
supportedProtocols.add(TlsConfiguration.SSL_PROTOCOL);
// Determine those provided by the JVM on the system
try {