From 817f621d6fc7fa44860dc9378b3473bfaa266a53 Mon Sep 17 00:00:00 2001 From: exceptionfactory Date: Mon, 21 Dec 2020 13:37:56 -0500 Subject: [PATCH] NIFI-8096 Deprecated ClientAuth references in SSLContextService - Added SSLContextService.createContext() and refactored referencing components - Removed references to ClientAuth from SslContextFactory methods This closes #4737. Signed-off-by: Mark Payne --- .../http/TestHttpNotificationServiceSSL.java | 3 +- .../nifi/security/util/SslContextFactory.java | 61 ++++--------------- .../util/SslContextFactoryTest.groovy | 32 +++------- .../io/socket/ServerSocketConfiguration.java | 4 +- .../nifi/io/socket/SocketConfiguration.java | 4 +- .../processors/AbstractAMQPProcessor.java | 2 +- .../processors/aws/AbstractAWSProcessor.java | 3 +- .../nifi/processors/beats/ListenBeats.java | 2 +- .../cassandra/AbstractCassandraProcessor.java | 16 +---- .../AbstractCassandraProcessorTest.java | 17 ------ .../service/CassandraSessionProvider.java | 20 +----- .../ConfluentSchemaRegistry.java | 5 +- .../ElasticSearchClientServiceImpl.java | 3 +- .../nifi/processors/email/ListenSMTP.java | 10 +-- .../ConnectionLoadBalanceServerTest.groovy | 3 +- .../queue/clustered/LoadBalancedQueueIT.java | 3 +- .../SocketRemoteSiteListenerTest.groovy | 11 +--- .../config/SslConfigurationUtil.java | 3 +- .../jms/cf/JMSConnectionFactoryHandler.java | 3 +- .../org/apache/nifi/ldap/LdapProvider.java | 5 +- .../ldap/tenants/LdapUserGroupProvider.java | 5 +- .../lumberjack/ListenLumberjack.java | 3 +- .../mongodb/AbstractMongoProcessor.java | 14 +---- .../mongodb/AbstractMongoProcessorTest.java | 26 +------- .../mongodb/MongoDBControllerService.java | 20 +----- .../nifi/reporting/s2s/SiteToSiteUtils.java | 3 +- .../nifi/processors/solr/SolrUtils.java | 7 +-- .../solr/MockSSLContextService.java | 5 ++ .../livy/LivySessionController.java | 3 +- .../nifi/processors/splunk/PutSplunk.java | 3 +- .../nifi/processors/standard/GetHTTP.java | 4 +- .../nifi/processors/standard/ListenHTTP.java | 11 +++- .../nifi/processors/standard/ListenRELP.java | 3 +- .../processors/standard/ListenSyslog.java | 2 +- .../nifi/processors/standard/ListenTCP.java | 2 +- .../processors/standard/ListenTCPRecord.java | 2 +- .../nifi/processors/standard/PutSyslog.java | 3 +- .../nifi/processors/standard/PutTCP.java | 3 +- .../standard/TestGetHTTPGroovy.groovy | 2 +- .../standard/TestPostHTTPGroovy.groovy | 2 +- .../standard/ITestHandleHttpRequest.java | 7 +-- .../processors/standard/TestListenRELP.java | 3 +- .../processors/standard/TestListenTCP.java | 2 +- .../standard/util/TCPTestServer.java | 3 +- .../DistributedMapCacheClientService.java | 3 +- .../DistributedSetCacheClientService.java | 3 +- .../server/DistributedSetCacheServer.java | 3 +- .../server/map/DistributedMapCacheServer.java | 3 +- .../nifi/oauth2/OAuth2TokenProviderImpl.java | 3 +- .../nifi/ssl/StandardSSLContextService.java | 52 ++++++++++------ .../ssl/StandardSSLContextServiceTest.groovy | 4 +- .../nifi/ssl/SSLContextServiceTest.java | 11 ++-- .../apache/nifi/ssl/SSLContextService.java | 30 ++++++--- 53 files changed, 151 insertions(+), 309 deletions(-) diff --git a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java index 5fbbd7c89c..7e1687f10d 100644 --- a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java +++ b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java @@ -31,7 +31,6 @@ import javax.net.ssl.SSLContext; import javax.xml.parsers.ParserConfigurationException; import okhttp3.mockwebserver.MockWebServer; import org.apache.nifi.bootstrap.NotificationServiceManager; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; @@ -138,7 +137,7 @@ public class TestHttpNotificationServiceSSL extends TestHttpNotificationServiceC TlsConfiguration tlsConfiguration = new StandardTlsConfiguration("./src/test/resources/keystore.jks", "passwordpassword", null, "JKS", "./src/test/resources/truststore.jks", "passwordpassword", "JKS", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); - final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); + final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration); mockWebServer.useHttps(sslContext.getSocketFactory(), false); String configFileOutput = CONFIGURATION_FILE_TEXT.replace("${test.server}", String.valueOf(mockWebServer.url("/"))); diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java index e2f21bd7d7..de81f14a56 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java @@ -43,27 +43,13 @@ public final class SslContextFactory { // TODO: Move to nifi-security-utils-core /** - * Returns a configured {@link SSLContext} from the provided TLS configuration. Hardcodes the - * client auth setting to {@link ClientAuth#REQUIRED} because this method is usually used when - * creating a context for a client, which ignores the setting anyway. + * Create and initialize a {@link SSLContext} from the provided TLS configuration. * * @param tlsConfiguration the TLS configuration container object - * @return the configured SSLContext + * @return {@link SSLContext} initialized from TLS Configuration or null when TLS Configuration is empty * @throws TlsException if there is a problem configuring the SSLContext */ - public static SSLContext createSslContext(TlsConfiguration tlsConfiguration) throws TlsException { - return createSslContext(tlsConfiguration, ClientAuth.REQUIRED); - } - - /** - * Returns a configured {@link SSLContext} from the provided TLS configuration. - * - * @param tlsConfiguration the TLS configuration container object - * @param clientAuth the {@link ClientAuth} setting - * @return the configured SSLContext - * @throws TlsException if there is a problem configuring the SSLContext - */ - public static SSLContext createSslContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth) throws TlsException { + public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration) throws TlsException { if (TlsConfiguration.isEmpty(tlsConfiguration)) { logger.debug("Cannot create SSLContext from empty TLS configuration; returning null"); return null; @@ -79,31 +65,25 @@ public final class SslContextFactory { } final TrustManager[] trustManagers = getTrustManagers(tlsConfiguration); - return createSslContext(tlsConfiguration, trustManagers, clientAuth); + return createSslContext(tlsConfiguration, trustManagers); } /** - * Returns a configured {@link SSLContext} from the provided TLS configuration and Trust Managers + * Create and initialize a {@link SSLContext} from the provided TLS configuration and Trust Managers. * * @param tlsConfiguration the TLS configuration container object * @param trustManagers Trust Managers can be null to use platform default Trust Managers - * @param clientAuth the {@link ClientAuth} setting - * @return the configured SSLContext + * @return {@link SSLContext} initialized from TLS Configuration or null when TLS Configuration is empty * @throws TlsException if there is a problem configuring the SSLContext */ - public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration, final TrustManager[] trustManagers, ClientAuth clientAuth) throws TlsException { + public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration, final TrustManager[] trustManagers) throws TlsException { if (TlsConfiguration.isEmpty(tlsConfiguration)) { logger.debug("Cannot create SSLContext from empty TLS configuration; returning null"); return null; } - if (clientAuth == null) { - clientAuth = ClientAuth.REQUIRED; - logger.debug("ClientAuth was null so defaulting to {}", clientAuth); - } - final KeyManager[] keyManagers = getKeyManagers(tlsConfiguration); - return initializeSSLContext(tlsConfiguration, clientAuth, keyManagers, trustManagers); + return initializeSSLContext(tlsConfiguration, keyManagers, trustManagers); } /** @@ -131,15 +111,13 @@ public final class SslContextFactory { /** * Convenience method to return the {@link SSLSocketFactory} from the created {@link SSLContext} - * because that is what most callers of {@link #createSslContext(TlsConfiguration, ClientAuth)} - * actually need and don't know what to provide for the {@link ClientAuth} parameter. * * @param tlsConfiguration the TLS configuration container object * @return the configured SSLSocketFactory (can be {@code null}) * @throws TlsException if there is a problem creating the SSLContext or SSLSocketFactory */ - public static SSLSocketFactory createSSLSocketFactory(TlsConfiguration tlsConfiguration) throws TlsException { - SSLContext sslContext = createSslContext(tlsConfiguration, ClientAuth.REQUIRED); + public static SSLSocketFactory createSSLSocketFactory(final TlsConfiguration tlsConfiguration) throws TlsException { + SSLContext sslContext = createSslContext(tlsConfiguration); if (sslContext == null) { // Only display an error in the log if the provided config wasn't empty if (!TlsConfiguration.isEmpty(tlsConfiguration)) { @@ -209,25 +187,12 @@ public final class SslContextFactory { return trustManagers; } - private static SSLContext initializeSSLContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth, KeyManager[] keyManagers, TrustManager[] trustManagers) throws TlsException { - final SSLContext sslContext; + private static SSLContext initializeSSLContext(final TlsConfiguration tlsConfiguration, final KeyManager[] keyManagers, final TrustManager[] trustManagers) throws TlsException { try { - sslContext = SSLContext.getInstance(tlsConfiguration.getProtocol()); + final SSLContext sslContext = SSLContext.getInstance(tlsConfiguration.getProtocol()); sslContext.init(keyManagers, trustManagers, new SecureRandom()); - switch (clientAuth) { - case REQUIRED: - sslContext.getDefaultSSLParameters().setNeedClientAuth(true); - break; - case WANT: - sslContext.getDefaultSSLParameters().setWantClientAuth(true); - break; - case NONE: - default: - sslContext.getDefaultSSLParameters().setWantClientAuth(false); - } - return sslContext; - } catch (NoSuchAlgorithmException | KeyManagementException e) { + } catch (final NoSuchAlgorithmException | KeyManagementException e) { logger.error("Encountered an error creating SSLContext from TLS configuration ({}): {}", tlsConfiguration.toString(), e.getLocalizedMessage()); throw new TlsException("Error creating SSL context", e); } diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy index 1579b36c17..990f439c22 100644 --- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy +++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy @@ -99,18 +99,12 @@ class SslContextFactoryTest extends GroovyTestCase { logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert assert sslContext.protocol == tlsConfiguration.protocol - def defaultSSLParameters = sslContext.defaultSSLParameters - logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String) - assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols) - assert !defaultSSLParameters.needClientAuth - assert !defaultSSLParameters.wantClientAuth - // Check a socket created from this context assertSocketProtocols(sslContext) } @@ -129,18 +123,12 @@ class SslContextFactoryTest extends GroovyTestCase { logger.info("Creating SSL Context from TLS Configuration: ${configWithoutKeyPassword}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert assert sslContext.protocol == configWithoutKeyPassword.protocol - def defaultSSLParameters = sslContext.defaultSSLParameters - logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String) - assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols) - assert !defaultSSLParameters.needClientAuth - assert !defaultSSLParameters.wantClientAuth - // Check a socket created from this context assertSocketProtocols(sslContext) } @@ -175,12 +163,12 @@ class SslContextFactoryTest extends GroovyTestCase { // Act def noKeystorePathMsg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath) logger.info("Created SSL Context missing keystore path: ${KeyStoreUtils.sslContextToString(sslContext)}") } def noTruststorePathMsg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath) logger.info("Created SSL Context missing truststore path: ${KeyStoreUtils.sslContextToString(sslContext)}") } @@ -206,18 +194,12 @@ class SslContextFactoryTest extends GroovyTestCase { logger.info("Creating SSL Context from TLS Configuration: ${configNoTruststorePassword}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert assert sslContext.protocol == configNoTruststorePassword.protocol - def defaultSSLParameters = sslContext.defaultSSLParameters - logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String) - assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols) - assert !defaultSSLParameters.needClientAuth - assert !defaultSSLParameters.wantClientAuth - // Check a socket created from this context assertSocketProtocols(sslContext) } @@ -239,7 +221,7 @@ class SslContextFactoryTest extends GroovyTestCase { // Act def msg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") } logger.expected(msg) @@ -259,7 +241,7 @@ class SslContextFactoryTest extends GroovyTestCase { logger.info("Creating SSL Context from TLS Configuration: ${emptyConfig}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig, ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig) // Assert assert !sslContext diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java index 2727d43fbb..746dc0e48b 100644 --- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java +++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java @@ -17,7 +17,6 @@ package org.apache.nifi.io.socket; import javax.net.ssl.SSLContext; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; @@ -34,8 +33,7 @@ public final class ServerSocketConfiguration { } public SSLContext createSSLContext() throws TlsException { - // ClientAuth was hardcoded to REQUIRED in removed SSLContextFactory and overridden in SocketUtils when the socket is created - return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); + return SslContextFactory.createSslContext(tlsConfiguration); } public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) { diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java index 8c76f4514a..778be0006e 100644 --- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java +++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java @@ -17,7 +17,6 @@ package org.apache.nifi.io.socket; import javax.net.ssl.SSLContext; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; @@ -35,8 +34,7 @@ public final class SocketConfiguration { private TlsConfiguration tlsConfiguration; public SSLContext createSSLContext() throws TlsException { - // This is only used for client sockets, so the client auth setting is ignored - return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE); + return SslContextFactory.createSslContext(tlsConfiguration); } public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) { diff --git a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java index 642aa1b400..a5f63d57d3 100644 --- a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java +++ b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java @@ -298,7 +298,7 @@ abstract class AbstractAMQPProcessor extends AbstractProce final Boolean useCertAuthentication = context.getProperty(USE_CERT_AUTHENTICATION).asBoolean(); if (sslService != null) { - final SSLContext sslContext = sslService.createSSLContext(ClientAuth.NONE); + final SSLContext sslContext = sslService.createContext(); cf.useSslProtocol(sslContext); if (useCertAuthentication) { diff --git a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java index f6bed479c9..987caaf7fa 100644 --- a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java +++ b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java @@ -58,7 +58,6 @@ import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.proxy.ProxyConfiguration; import org.apache.nifi.proxy.ProxySpec; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; /** @@ -227,7 +226,7 @@ public abstract class AbstractAWSProcessor { switch (severity) { case WARNING: diff --git a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java index 5f8a51af2a..9d640cd200 100644 --- a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java +++ b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java @@ -55,7 +55,6 @@ import org.apache.nifi.kerberos.KerberosCredentialsService; import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.io.OutputStreamCallback; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.serialization.RecordSetWriterFactory; import org.apache.nifi.serialization.record.DataType; import org.apache.nifi.serialization.record.ListRecordSet; @@ -78,13 +77,9 @@ import org.apache.solr.common.SolrDocument; import org.apache.solr.common.SolrInputDocument; import org.apache.solr.common.params.ModifiableSolrParams; import org.apache.solr.common.params.MultiMapSolrParams; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; public class SolrUtils { - static final Logger LOGGER = LoggerFactory.getLogger(SolrUtils.class); - public static final AllowableValue SOLR_TYPE_CLOUD = new AllowableValue( "Cloud", "Cloud", "A SolrCloud instance."); @@ -251,7 +246,7 @@ public class SolrUtils { } if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService.createContext(); final SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext); HttpClientUtil.setSchemaRegistryProvider(new HttpClientUtil.SchemaRegistryProvider() { @Override diff --git a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java index fd66a6159b..005c6f6d24 100644 --- a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java +++ b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java @@ -34,6 +34,11 @@ public class MockSSLContextService extends AbstractControllerService implements return null; } + @Override + public SSLContext createContext() { + return null; + } + @Override public SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { return null; diff --git a/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java b/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java index 390cb62c3c..623774d56f 100644 --- a/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java +++ b/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java @@ -77,7 +77,6 @@ import org.apache.nifi.hadoop.KerberosKeytabSPNegoAuthSchemeProvider; import org.apache.nifi.kerberos.KerberosCredentialsService; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.codehaus.jettison.json.JSONException; import org.codehaus.jettison.json.JSONObject; @@ -225,7 +224,7 @@ public class LivySessionController extends AbstractControllerService implements final String jars = context.getProperty(JARS).evaluateAttributeExpressions().getValue(); final String files = context.getProperty(FILES).evaluateAttributeExpressions().getValue(); sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); - sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.NONE); + sslContext = sslContextService == null ? null : sslContextService.createContext(); connectTimeout = Math.toIntExact(context.getProperty(CONNECT_TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS)); credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class); diff --git a/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java b/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java index 7e15c1470c..275e5fa5ae 100644 --- a/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java +++ b/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java @@ -45,7 +45,6 @@ import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.io.InputStreamCallback; import org.apache.nifi.processor.util.put.AbstractPutEventProcessor; import org.apache.nifi.processor.util.put.sender.ChannelSender; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.stream.io.ByteCountingInputStream; import org.apache.nifi.stream.io.StreamUtils; @@ -120,7 +119,7 @@ public class PutSplunk extends AbstractPutEventProcessor { SSLContext sslContext = null; if (sslContextService != null) { - sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); + sslContext = sslContextService.createContext(); } return createSender(protocol, host, port, timeout, maxSendBuffer, sslContext); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java index 54a9bda6ef..5ff3fec024 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java @@ -98,7 +98,6 @@ import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.standard.util.HTTPUtils; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.KeyStoreUtils; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.StopWatch; @@ -439,7 +438,8 @@ public class GetHTTP extends AbstractSessionFactoryProcessor { // set the ssl context if necessary if (sslContextService != null) { - clientBuilder.setSslcontext(sslContextService.createSSLContext(ClientAuth.REQUIRED)); + final SSLContext sslContext = sslContextService.createContext(); + clientBuilder.setSSLContext(sslContext); } final String username = context.getProperty(USERNAME).getValue(); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java index fa0fcaa4c1..e2019cd876 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java @@ -403,12 +403,19 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor { } private SslContextFactory createSslContextFactory(SSLContextService sslContextService, final ClientAuth clientAuth) { - final SslContextFactory contextFactory = new SslContextFactory.Server(); - final SSLContext sslContext = sslContextService.createSSLContext(clientAuth); + final SslContextFactory.Server contextFactory = new SslContextFactory.Server(); + final SSLContext sslContext = sslContextService.createContext(); contextFactory.setSslContext(sslContext); final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration(); contextFactory.setIncludeProtocols(tlsConfiguration.getEnabledProtocols()); + + if (ClientAuth.REQUIRED.equals(clientAuth)) { + contextFactory.setNeedClientAuth(true); + } else if (ClientAuth.WANT.equals(clientAuth)) { + contextFactory.setWantClientAuth(true); + } + return contextFactory; } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java index 53477a670b..c34a5b43af 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java @@ -146,9 +146,8 @@ public class ListenRELP extends AbstractListenEventBatchingProcessor final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); if (sslContextService != null) { final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue(); - sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue)); + sslContext = sslContextService.createContext(); clientAuth = ClientAuth.valueOf(clientAuthValue); - } // if we decide to support SSL then get the context and pass it in here diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java index 4cc7b333c9..0fe02937f1 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java @@ -347,7 +347,7 @@ public class ListenSyslog extends AbstractSyslogProcessor { if (sslContextService != null) { final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue(); - sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue)); + sslContext = sslContextService.createContext(); clientAuth = ClientAuth.valueOf(clientAuthValue); } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java index 7aac89930f..4787d7e34e 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java @@ -177,7 +177,7 @@ public class ListenTCP extends AbstractListenEventBatchingProcessor sslProperties, ClientAuth clientAuth) { + private static SSLContext useSSLContextService(final TestRunner controller, final Map sslProperties) { final SSLContextService service = new StandardRestrictedSSLContextService(); try { controller.addControllerService("ssl-service", service, sslProperties); @@ -118,7 +117,7 @@ public class ITestHandleHttpRequest { } controller.setProperty(HandleHttpRequest.SSL_CONTEXT, "ssl-service"); - return service.createSSLContext(clientAuth); + return service.createContext(); } @Before @@ -653,7 +652,7 @@ public class ITestHandleHttpRequest { final Map sslProperties = getServerKeystoreProperties(); sslProperties.putAll(getTruststoreProperties()); sslProperties.put(StandardSSLContextService.SSL_ALGORITHM.getName(), TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); - useSSLContextService(runner, sslProperties, twoWaySsl ? ClientAuth.REQUIRED : ClientAuth.NONE); + useSSLContextService(runner, sslProperties); final Thread httpThread = new Thread(new Runnable() { @Override diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java index aa6f6baeac..51851f3f5b 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java @@ -38,7 +38,6 @@ import org.apache.nifi.processors.standard.relp.response.RELPResponse; import org.apache.nifi.provenance.ProvenanceEventRecord; import org.apache.nifi.provenance.ProvenanceEventType; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.util.MockFlowFile; @@ -226,7 +225,7 @@ public class TestListenRELP { // create either a regular socket or ssl socket based on context being passed in if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService.createContext(); socket = sslContext.getSocketFactory().createSocket("localhost", realPort); } else { socket = new Socket("localhost", realPort); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java index c2bb828b89..ab7d5b77f7 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java @@ -140,7 +140,7 @@ public class TestListenTCP { messages.add("This is message 5\n"); // Make an SSLContext with a key and trust store to send the test messages - final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration, ClientAuth.NONE); + final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration); runTCP(messages, messages.size(), clientSslContext); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java index 8be0bcb314..6b79acb6aa 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java @@ -26,7 +26,6 @@ import java.util.List; import java.util.concurrent.ArrayBlockingQueue; import javax.net.ServerSocketFactory; import javax.net.ssl.SSLContext; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; @@ -57,7 +56,7 @@ public class TCPTestServer implements Runnable { if(ssl){ TlsConfiguration tlsConfiguration = new StandardTlsConfiguration("src/test/resources/keystore.jks","passwordpassword", null, "JKS", "src/test/resources/truststore.jks", "passwordpassword", "JKS", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); - final SSLContext sslCtx = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); + final SSLContext sslCtx = SslContextFactory.createSslContext(tlsConfiguration); ServerSocketFactory sslSocketFactory = sslCtx.getServerSocketFactory(); serverSocket = sslSocketFactory.createServerSocket(0, 0, ipAddress); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedMapCacheClientService.java b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedMapCacheClientService.java index 31b2248961..943b619248 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedMapCacheClientService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedMapCacheClientService.java @@ -43,7 +43,6 @@ import org.apache.nifi.distributed.cache.protocol.exception.HandshakeException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.remote.StandardVersionNegotiator; import org.apache.nifi.remote.VersionNegotiator; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -408,7 +407,7 @@ public class DistributedMapCacheClientService extends AbstractControllerService if (sslContextService == null) { commsSession = new StandardCommsSession(hostname, port, timeoutMillis); } else { - commsSession = new SSLCommsSession(sslContextService.createSSLContext(ClientAuth.REQUIRED), hostname, port, timeoutMillis); + commsSession = new SSLCommsSession(sslContextService.createContext(), hostname, port, timeoutMillis); } commsSession.setTimeout(timeoutMillis, TimeUnit.MILLISECONDS); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedSetCacheClientService.java b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedSetCacheClientService.java index 06d1a433ce..567bdf37ef 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedSetCacheClientService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedSetCacheClientService.java @@ -39,7 +39,6 @@ import org.apache.nifi.distributed.cache.protocol.exception.HandshakeException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.remote.StandardVersionNegotiator; import org.apache.nifi.remote.VersionNegotiator; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -115,7 +114,7 @@ public class DistributedSetCacheClientService extends AbstractControllerService if (sslContextService == null) { commsSession = new StandardCommsSession(hostname, port, timeoutMillis); } else { - commsSession = new SSLCommsSession(sslContextService.createSSLContext(ClientAuth.REQUIRED), hostname, port, timeoutMillis); + commsSession = new SSLCommsSession(sslContextService.createContext(), hostname, port, timeoutMillis); } commsSession.setTimeout(timeoutMillis, TimeUnit.MILLISECONDS); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedSetCacheServer.java b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedSetCacheServer.java index 12ce267345..a6ab0dc29d 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedSetCacheServer.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedSetCacheServer.java @@ -21,7 +21,6 @@ import javax.net.ssl.SSLContext; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; import org.apache.nifi.controller.ConfigurationContext; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; @Tags({"distributed", "set", "distinct", "cache", "server"}) @@ -41,7 +40,7 @@ public class DistributedSetCacheServer extends DistributedCacheServer { if (sslContextService == null) { sslContext = null; } else { - sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); + sslContext = sslContextService.createContext(); } final EvictionPolicy evictionPolicy; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/map/DistributedMapCacheServer.java b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/map/DistributedMapCacheServer.java index 0627a552ca..b07b12a6ff 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/map/DistributedMapCacheServer.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/map/DistributedMapCacheServer.java @@ -26,7 +26,6 @@ import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.distributed.cache.server.CacheServer; import org.apache.nifi.distributed.cache.server.DistributedCacheServer; import org.apache.nifi.distributed.cache.server.EvictionPolicy; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; @Tags({"distributed", "cluster", "map", "cache", "server", "key/value"}) @@ -47,7 +46,7 @@ public class DistributedMapCacheServer extends DistributedCacheServer { if (sslContextService == null) { sslContext = null; } else { - sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); + sslContext = sslContextService.createContext(); } final EvictionPolicy evictionPolicy; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java index 0c234c4994..4407f46cc7 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java @@ -34,7 +34,6 @@ import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.OkHttpClientUtils; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.SSLContextService; @@ -60,7 +59,7 @@ public class OAuth2TokenProviderImpl extends AbstractControllerService implement sslService = context.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class); - sslContext = sslService == null ? null : sslService.createSSLContext(ClientAuth.NONE); + sslContext = sslService == null ? null : sslService.createContext(); } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java index ece3cb62de..08d9b07ae7 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java @@ -238,41 +238,57 @@ public class StandardSSLContextService extends AbstractControllerService impleme } /** - * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred - * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated + * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare + * properties for processing. * - * @param clientAuth the desired level of client authentication - * @return the configured SSLContext - * @throws ProcessException if there is a problem configuring the context + * @return {@link SSLContext} initialized using configured properties */ @Override - public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { + public SSLContext createContext() { + final TlsConfiguration tlsConfiguration = createTlsConfiguration(); + if (!tlsConfiguration.isTruststorePopulated()) { + getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities"); + } + try { - final TlsConfiguration tlsConfiguration = createTlsConfiguration(); - if (!tlsConfiguration.isTruststorePopulated()) { - getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities"); - } final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration); - return SslContextFactory.createSslContext(tlsConfiguration, trustManagers, clientAuth); - } catch (TlsException e) { - getLogger().error("Encountered an error creating the SSL context from the SSL context service: {}", new String[]{e.getLocalizedMessage()}); - throw new ProcessException("Error creating SSL context", e); + return SslContextFactory.createSslContext(tlsConfiguration, trustManagers); + } catch (final TlsException e) { + getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()}); + throw new ProcessException("Unable to create SSLContext", e); } } /** * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated - * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method - * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred. + * due to the Client Authentication policy not being applicable when initializing the SSLContext * * @param clientAuth the desired level of client authentication * @return the configured SSLContext * @throws ProcessException if there is a problem configuring the context + * @deprecated The {@link #createContext()} method should be used instead */ + @Deprecated + @Override + public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { + return createContext(); + } + + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to the use of the deprecated {@link ClientAuth} enum + * {@link #createContext()} method is preferred. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + * @deprecated The {@link #createContext()} method should be used instead + */ + @Deprecated @Override public SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException { - org.apache.nifi.security.util.ClientAuth resolvedClientAuth = org.apache.nifi.security.util.ClientAuth.valueOf(clientAuth.name()); - return createSSLContext(resolvedClientAuth); + return createContext(); } @Override diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy index 01f86e33f8..8c889f1861 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy @@ -176,7 +176,7 @@ class StandardSSLContextServiceTest { runner.assertValid(sslContextService) // Act - SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE) + SSLContext sslContext = sslContextService.createContext(); // Assert assert sslContext @@ -198,7 +198,7 @@ class StandardSSLContextServiceTest { runner.assertValid(sslContextService) // Act - SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE) + SSLContext sslContext = sslContextService.createContext(); // Assert assert sslContext diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java index d57dbe162f..25fe9d4912 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java @@ -38,7 +38,6 @@ import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.util.MockProcessContext; import org.apache.nifi.util.MockValidationContext; import org.apache.nifi.util.TestRunner; @@ -146,9 +145,7 @@ public class SSLContextServiceTest { service = (SSLContextService) runner.getProcessContext().getControllerServiceLookup().getControllerService("test-good1"); Assert.assertNotNull(service); SSLContextService sslService = service; - sslService.createSSLContext(ClientAuth.REQUIRED); - sslService.createSSLContext(ClientAuth.WANT); - sslService.createSSLContext(ClientAuth.NONE); + sslService.createContext(); } @Test @@ -257,7 +254,7 @@ public class SSLContextServiceTest { runner.assertValid(); Assert.assertNotNull(service); assertTrue(service instanceof StandardSSLContextService); - service.createSSLContext(ClientAuth.NONE); + service.createContext(); } catch (InitializationException e) { } } @@ -280,7 +277,7 @@ public class SSLContextServiceTest { Assert.assertNotNull(service); assertTrue(service instanceof StandardSSLContextService); SSLContextService sslService = service; - sslService.createSSLContext(ClientAuth.NONE); + sslService.createContext(); } catch (Exception e) { System.out.println(e); Assert.fail("Should not have thrown a exception " + e.getMessage()); @@ -311,7 +308,7 @@ public class SSLContextServiceTest { runner.setProperty("SSL Context Svc ID", "test-diff-keys"); runner.assertValid(); Assert.assertNotNull(service); - service.createSSLContext(ClientAuth.NONE); + service.createContext(); } catch (Exception e) { System.out.println(e); Assert.fail("Should not have thrown a exception " + e.getMessage()); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java index 7c88429b10..fe97caeb35 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java @@ -56,26 +56,38 @@ public interface SSLContextService extends ControllerService { } /** - * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred - * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated + * create methods due to not requiring a client authentication policy. * - * @param clientAuth the desired level of client authentication - * @return the configured SSLContext - * @throws ProcessException if there is a problem configuring the context + * @return {@link SSLContext} initialized using configured properties */ - SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException; + SSLContext createContext(); /** * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated - * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method - * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred. + * due to {@link org.apache.nifi.security.util.ClientAuth} not being applicable or used when initializing the + * {@link SSLContext} * * @param clientAuth the desired level of client authentication * @return the configured SSLContext * @throws ProcessException if there is a problem configuring the context + * @deprecated The {@link #createContext()} method should be used instead */ @Deprecated - SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException; + SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException; + + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to the use of the deprecated {@link ClientAuth} enum and the + * ({@link #createContext()}) method is preferred. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + * @deprecated The {@link #createContext()} method should be used instead + */ + @Deprecated + SSLContext createSSLContext(ClientAuth clientAuth) throws ProcessException; String getTrustStoreFile();