mirror of https://github.com/apache/nifi.git
NIFI-7913 Added getEnabledProtocols() to TlsConfiguration and updated ListenSMTP to set enabled protocols on SSL Sockets
NIFI-7913 Changed order of supported protocols to match existing comments in SSLContextService This closes #4599 Signed-off-by: Nathan Gough <thenatog@gmail.com>
This commit is contained in:
parent
8e4948322e
commit
7bff64b3cf
|
@ -25,6 +25,13 @@ import java.util.regex.Pattern;
|
|||
* {@link javax.net.ssl.SSLContext}s.
|
||||
*/
|
||||
public interface TlsConfiguration {
|
||||
String SSL_PROTOCOL = "SSL";
|
||||
String TLS_PROTOCOL = "TLS";
|
||||
|
||||
String TLS_1_0_PROTOCOL = "TLSv1";
|
||||
String TLS_1_1_PROTOCOL = "TLSv1.1";
|
||||
String[] LEGACY_TLS_PROTOCOL_VERSIONS = new String[]{TLS_1_0_PROTOCOL, TLS_1_1_PROTOCOL};
|
||||
|
||||
String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.2";
|
||||
String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3";
|
||||
String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION};
|
||||
|
@ -157,6 +164,13 @@ public interface TlsConfiguration {
|
|||
*/
|
||||
String[] getTruststorePropertiesForLogging();
|
||||
|
||||
/**
|
||||
* Get Enabled TLS Protocol Versions
|
||||
*
|
||||
* @return Enabled TLS Protocols
|
||||
*/
|
||||
String[] getEnabledProtocols();
|
||||
|
||||
/**
|
||||
* Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}).
|
||||
*
|
||||
|
|
|
@ -18,6 +18,9 @@ package org.apache.nifi.security.util;
|
|||
|
||||
import java.io.File;
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import org.apache.nifi.util.NiFiProperties;
|
||||
import org.apache.nifi.util.StringUtils;
|
||||
|
@ -432,6 +435,29 @@ public class StandardTlsConfiguration implements TlsConfiguration {
|
|||
return new String[]{getTruststorePath(), getTruststorePasswordForLogging(), getKeystoreType() != null ? getTruststoreType().getType() : NULL_LOG};
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get Enabled TLS Protocols translates SSL to legacy protocols and TLS to current protocols or returns configured protocol
|
||||
*
|
||||
* @return Enabled TLS Protocols
|
||||
*/
|
||||
@Override
|
||||
public String[] getEnabledProtocols() {
|
||||
final List<String> enabledProtocols = new ArrayList<>();
|
||||
|
||||
final String configuredProtocol = getProtocol();
|
||||
if (TLS_PROTOCOL.equals(configuredProtocol)) {
|
||||
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
|
||||
} else if (SSL_PROTOCOL.equals(configuredProtocol)) {
|
||||
enabledProtocols.addAll(Arrays.asList(LEGACY_TLS_PROTOCOL_VERSIONS));
|
||||
enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
|
||||
} else if (configuredProtocol != null) {
|
||||
enabledProtocols.add(configuredProtocol);
|
||||
}
|
||||
|
||||
return enabledProtocols.toArray(new String[enabledProtocols.size()]);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
StringBuilder sb = new StringBuilder("[TlsConfiguration]");
|
||||
|
|
|
@ -209,4 +209,43 @@ class StandardTlsConfigurationTest extends GroovyTestCase {
|
|||
assert !wrongPasswordIsValid
|
||||
assert !invalidIsValid
|
||||
}
|
||||
|
||||
@Test
|
||||
void testShouldReturnLegacyAndCurrentEnabledProtocolsForSsl() {
|
||||
TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.SSL_PROTOCOL)
|
||||
|
||||
String[] enabledProtocols = configuration.enabledProtocols
|
||||
assert enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
|
||||
assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
|
||||
}
|
||||
|
||||
@Test
|
||||
void testShouldReturnCurrentEnabledProtocolsForTls() {
|
||||
TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.TLS_PROTOCOL)
|
||||
|
||||
String[] enabledProtocols = configuration.enabledProtocols
|
||||
assert !enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
|
||||
assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
|
||||
}
|
||||
|
||||
@Test
|
||||
void testShouldReturnConfiguredEnabledProtocols() {
|
||||
String currentProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()
|
||||
TlsConfiguration configuration = getTlsConfiguration(currentProtocol)
|
||||
|
||||
String[] enabledProtocols = configuration.enabledProtocols
|
||||
assert enabledProtocols == [currentProtocol]
|
||||
}
|
||||
|
||||
@Test
|
||||
void testShouldReturnEmptyEnabledProtocolsForNullProtocol() {
|
||||
TlsConfiguration configuration = getTlsConfiguration(null)
|
||||
|
||||
String[] enabledProtocols = configuration.enabledProtocols
|
||||
assert enabledProtocols.toList().isEmpty()
|
||||
}
|
||||
|
||||
TlsConfiguration getTlsConfiguration(String protocol) {
|
||||
new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, protocol)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -50,6 +50,7 @@ import org.apache.nifi.processor.exception.ProcessException;
|
|||
import org.apache.nifi.processor.util.StandardValidators;
|
||||
import org.apache.nifi.processors.email.smtp.SmtpConsumer;
|
||||
import org.apache.nifi.security.util.ClientAuth;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.ssl.RestrictedSSLContextService;
|
||||
import org.apache.nifi.ssl.SSLContextService;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
@ -252,6 +253,9 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor {
|
|||
SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth));
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true));
|
||||
final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration();
|
||||
sslSocket.setEnabledProtocols(tlsConfiguration.getEnabledProtocols());
|
||||
|
||||
sslSocket.setUseClientMode(false);
|
||||
|
||||
if (ClientAuth.REQUIRED.toString().equals(clientAuth)) {
|
||||
|
|
|
@ -16,6 +16,8 @@
|
|||
*/
|
||||
package org.apache.nifi.processors.email;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertThrows;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.util.Properties;
|
||||
|
@ -26,7 +28,9 @@ import javax.mail.Transport;
|
|||
import javax.mail.internet.InternetAddress;
|
||||
import javax.mail.internet.MimeMessage;
|
||||
import org.apache.nifi.remote.io.socket.NetworkUtils;
|
||||
import org.apache.nifi.reporting.InitializationException;
|
||||
import org.apache.nifi.security.util.ClientAuth;
|
||||
import org.apache.nifi.security.util.TlsConfiguration;
|
||||
import org.apache.nifi.ssl.SSLContextService;
|
||||
import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
|
||||
import org.apache.nifi.ssl.StandardSSLContextService;
|
||||
|
@ -35,38 +39,20 @@ import org.apache.nifi.util.TestRunners;
|
|||
import org.junit.Test;
|
||||
|
||||
public class TestListenSMTP {
|
||||
private static final String SSL_SERVICE_IDENTIFIER = "ssl-context";
|
||||
|
||||
@Test
|
||||
public void testListenSMTP() throws Exception {
|
||||
final ListenSMTP processor = new ListenSMTP();
|
||||
final TestRunner runner = TestRunners.newTestRunner(processor);
|
||||
|
||||
final int port = NetworkUtils.availablePort();
|
||||
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
|
||||
final TestRunner runner = newTestRunner(port);
|
||||
|
||||
runner.run(1, false);
|
||||
assertPortListening(port);
|
||||
|
||||
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
|
||||
|
||||
final Properties config = new Properties();
|
||||
config.put("mail.smtp.host", "localhost");
|
||||
config.put("mail.smtp.port", String.valueOf(port));
|
||||
config.put("mail.smtp.connectiontimeout", "5000");
|
||||
config.put("mail.smtp.timeout", "5000");
|
||||
config.put("mail.smtp.writetimeout", "5000");
|
||||
|
||||
final Session session = Session.getInstance(config);
|
||||
session.setDebug(true);
|
||||
|
||||
final Session session = getSession(port);
|
||||
final int numMessages = 5;
|
||||
for (int i = 0; i < numMessages; i++) {
|
||||
final Message email = new MimeMessage(session);
|
||||
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
|
||||
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
|
||||
email.setSubject("This is a test");
|
||||
email.setText("MSG-" + i);
|
||||
Transport.send(email);
|
||||
sendMessage(session, i);
|
||||
}
|
||||
|
||||
runner.shutdown();
|
||||
|
@ -74,34 +60,92 @@ public class TestListenSMTP {
|
|||
}
|
||||
|
||||
@Test
|
||||
public void testListenSMTPwithTLS() throws Exception {
|
||||
final ListenSMTP processor = new ListenSMTP();
|
||||
final TestRunner runner = TestRunners.newTestRunner(processor);
|
||||
|
||||
public void testListenSMTPwithTLSCurrentVersion() throws Exception {
|
||||
final int port = NetworkUtils.availablePort();
|
||||
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
|
||||
final TestRunner runner = newTestRunner(port);
|
||||
|
||||
// Setup the SSL Context
|
||||
final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
|
||||
runner.addControllerService("ssl-context", sslContextService);
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
|
||||
runner.enableControllerService(sslContextService);
|
||||
|
||||
// and add the SSL context to the runner
|
||||
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, "ssl-context");
|
||||
final String tlsProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
|
||||
configureSslContextService(runner, tlsProtocol);
|
||||
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
|
||||
runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
|
||||
runner.assertValid();
|
||||
|
||||
runner.run(1, false);
|
||||
assertPortListening(port);
|
||||
final Session session = getSessionTls(port, tlsProtocol);
|
||||
|
||||
final int numMessages = 5;
|
||||
for (int i = 0; i < numMessages; i++) {
|
||||
sendMessage(session, i);
|
||||
}
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testListenSMTPwithTLSLegacyProtocolException() throws Exception {
|
||||
final int port = NetworkUtils.availablePort();
|
||||
final TestRunner runner = newTestRunner(port);
|
||||
|
||||
configureSslContextService(runner, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
|
||||
runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
|
||||
runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
|
||||
runner.assertValid();
|
||||
|
||||
runner.run(1, false);
|
||||
assertPortListening(port);
|
||||
|
||||
final Session session = getSessionTls(port, TlsConfiguration.TLS_1_0_PROTOCOL);
|
||||
final MessagingException exception = assertThrows(MessagingException.class, () -> sendMessage(session, 0));
|
||||
assertEquals(exception.getMessage(), "Could not convert socket to TLS");
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testListenSMTPwithTooLargeMessage() throws Exception {
|
||||
final int port = NetworkUtils.availablePort();
|
||||
final TestRunner runner = newTestRunner(port);
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
|
||||
|
||||
runner.run(1, false);
|
||||
assertPortListening(port);
|
||||
|
||||
final Session session = getSession(port);
|
||||
assertThrows(MessagingException.class, () -> sendMessage(session, 0));
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
|
||||
}
|
||||
|
||||
private TestRunner newTestRunner(final int port) {
|
||||
final ListenSMTP processor = new ListenSMTP();
|
||||
final TestRunner runner = TestRunners.newTestRunner(processor);
|
||||
|
||||
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
|
||||
return runner;
|
||||
}
|
||||
|
||||
private void assertPortListening(final int port) {
|
||||
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
|
||||
}
|
||||
|
||||
private Session getSession(final int port) {
|
||||
final Properties config = new Properties();
|
||||
config.put("mail.smtp.host", "localhost");
|
||||
config.put("mail.smtp.port", String.valueOf(port));
|
||||
config.put("mail.smtp.connectiontimeout", "5000");
|
||||
config.put("mail.smtp.timeout", "5000");
|
||||
config.put("mail.smtp.writetimeout", "5000");
|
||||
final Session session = Session.getInstance(config);
|
||||
session.setDebug(true);
|
||||
return session;
|
||||
}
|
||||
|
||||
private Session getSessionTls(final int port, final String tlsProtocol) {
|
||||
final Properties config = new Properties();
|
||||
config.put("mail.smtp.host", "localhost");
|
||||
config.put("mail.smtp.port", String.valueOf(port));
|
||||
|
@ -112,12 +156,14 @@ public class TestListenSMTP {
|
|||
config.put("mail.smtp.connectiontimeout", "5000");
|
||||
config.put("mail.smtp.timeout", "5000");
|
||||
config.put("mail.smtp.writetimeout", "5000");
|
||||
config.put("mail.smtp.ssl.protocols", tlsProtocol);
|
||||
|
||||
final Session session = Session.getInstance(config);
|
||||
session.setDebug(true);
|
||||
return session;
|
||||
}
|
||||
|
||||
final int numMessages = 5;
|
||||
for (int i = 0; i < numMessages; i++) {
|
||||
private void sendMessage(final Session session, final int i) throws MessagingException {
|
||||
final Message email = new MimeMessage(session);
|
||||
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
|
||||
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
|
||||
|
@ -126,50 +172,16 @@ public class TestListenSMTP {
|
|||
Transport.send(email);
|
||||
}
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
|
||||
private void configureSslContextService(final TestRunner runner, final String tlsProtocol) throws InitializationException {
|
||||
final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
|
||||
runner.addControllerService(SSL_SERVICE_IDENTIFIER, sslContextService);
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
|
||||
runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, tlsProtocol);
|
||||
runner.enableControllerService(sslContextService);
|
||||
}
|
||||
|
||||
@Test(expected = MessagingException.class)
|
||||
public void testListenSMTPwithTooLargeMessage() throws Exception {
|
||||
final ListenSMTP processor = new ListenSMTP();
|
||||
final TestRunner runner = TestRunners.newTestRunner(processor);
|
||||
|
||||
final int port = NetworkUtils.availablePort();
|
||||
runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
|
||||
runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
|
||||
|
||||
runner.run(1, false);
|
||||
|
||||
assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
|
||||
|
||||
final Properties config = new Properties();
|
||||
config.put("mail.smtp.host", "localhost");
|
||||
config.put("mail.smtp.port", String.valueOf(port));
|
||||
config.put("mail.smtp.connectiontimeout", "5000");
|
||||
config.put("mail.smtp.timeout", "5000");
|
||||
config.put("mail.smtp.writetimeout", "5000");
|
||||
|
||||
final Session session = Session.getInstance(config);
|
||||
session.setDebug(true);
|
||||
|
||||
MessagingException messagingException = null;
|
||||
try {
|
||||
final Message email = new MimeMessage(session);
|
||||
email.setFrom(new InternetAddress("alice@nifi.apache.org"));
|
||||
email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
|
||||
email.setSubject("This is a test");
|
||||
email.setText("MSG-0");
|
||||
Transport.send(email);
|
||||
} catch (final MessagingException e) {
|
||||
messagingException = e;
|
||||
}
|
||||
|
||||
runner.shutdown();
|
||||
runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
|
||||
|
||||
if (messagingException != null) throw messagingException;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -87,7 +87,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi
|
|||
static AllowableValue[] buildAlgorithmAllowableValues() {
|
||||
final Set<String> supportedProtocols = new HashSet<>();
|
||||
|
||||
supportedProtocols.add("TLS");
|
||||
supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL);
|
||||
|
||||
/*
|
||||
* Add specifically supported TLS versions
|
||||
|
|
|
@ -109,10 +109,10 @@ public interface SSLContextService extends ControllerService {
|
|||
* Prepopulate protocols with generic instance types commonly used
|
||||
* see: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
|
||||
*/
|
||||
supportedProtocols.add("TLS");
|
||||
supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL);
|
||||
|
||||
// This is still available for outgoing connections to legacy services, but can be disabled with jdk.tls.disabledAlgorithms
|
||||
supportedProtocols.add("SSL");
|
||||
supportedProtocols.add(TlsConfiguration.SSL_PROTOCOL);
|
||||
|
||||
// Determine those provided by the JVM on the system
|
||||
try {
|
||||
|
|
Loading…
Reference in New Issue