Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-10498 Added Cipher Suite configuration to NiFi Registry 

This closes #6458

Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
Jeremy Snyder 2022-09-20 14:24:36 -04:00 committed by exceptionfactory
parent e638bcee2f
commit b862fff8f0
No known key found for this signature in database
GPG Key ID: 29B6A52D2AAE8DBA
4 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nifi-registry/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc
View File

@ -101,6 +101,29 @@ should run on. If it is desired that the HTTPS interface be accessible from all
NOTE: It is important when enabling HTTPS that the `nifi.registry.web.http.port` property be unset.
[[tls_cipher_suites]]
=== TLS Cipher Suites
The Java Runtime Environment provides the ability to specify custom TLS cipher suites to be used by servers when accepting client connections. See
link:https://java.com/en/configure_crypto.html[here^] for more information. To use this feature for the NiFi web service, the following NiFi properties
may be set:
[options="header,footer"]
|==================================================================================================================================================
| Property Name | Description
|`nifi.registry.web.https.ciphersuites.include` | Set of ciphers that are available to be used by incoming client connections. Replaces system defaults if set.
|`nifi.registry.web.https.ciphersuites.exclude` | Set of ciphers that must not be used by incoming client connections. Filters available ciphers if set.
|==================================================================================================================================================
Each property should take the form of a comma-separated list of common cipher names as specified
link:https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites[here^]. Regular expressions
(for example `^.*GCM_SHA256$`) may also be specified.
The semantics match the use of the following Jetty APIs:
* link:https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/util/ssl/SslContextFactory.html#setIncludeCipherSuites(java.lang.String\...)[SslContextFactory.setIncludeCipherSuites()]
* link:https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/util/ssl/SslContextFactory.html#setExcludeCipherSuites(java.lang.String\...)[SslContextFactory.setExcludeCipherSuites()]
[[user_authentication]]
== User Authentication

18
nifi-registry/nifi-registry-core/nifi-registry-jetty/src/main/java/org/apache/nifi/registry/jetty/JettyServer.java
View File

@ -73,6 +73,8 @@ public class JettyServer {
private static final Logger logger = LoggerFactory.getLogger(JettyServer.class);
private static final String WEB_DEFAULTS_XML = "org/apache/nifi-registry/web/webdefault.xml";
private static final int HEADER_BUFFER_SIZE = 16 * 1024; // 16kb
private static final String CIPHER_SUITE_SEPARATOR_PATTERN = ",\\s*";
private static final FileFilter WAR_FILTER = new FileFilter() {
@Override
@ -214,6 +216,10 @@ public class JettyServer {
}
}
private static String[] getCipherSuites(final String cipherSuitesProperty) {
return cipherSuitesProperty.split(CIPHER_SUITE_SEPARATOR_PATTERN);
}
private SslContextFactory createSslContextFactory() {
final SslContextFactory.Server contextFactory = new SslContextFactory.Server();
@ -259,6 +265,18 @@ public class JettyServer {
contextFactory.setTrustStorePassword(properties.getTrustStorePassword());
}
final String includeCipherSuites = properties.getHttpsCipherSuitesInclude();
if (StringUtils.isNotBlank(includeCipherSuites)) {
final String[] cipherSuites = getCipherSuites(includeCipherSuites);
contextFactory.setIncludeCipherSuites(cipherSuites);
}
final String excludeCipherSuites = properties.getHttpsCipherSuitesExclude();
if (StringUtils.isNotBlank(excludeCipherSuites)) {
final String[] cipherSuites = getCipherSuites(excludeCipherSuites);
contextFactory.setExcludeCipherSuites(cipherSuites);
}
return contextFactory;
}

29
nifi-registry/nifi-registry-core/nifi-registry-jetty/src/test/groovy/org/apache/nifi/registry/jetty/JettyServerGroovyTest.groovy
View File

@ -133,4 +133,33 @@ class JettyServerGroovyTest extends GroovyTestCase {
// Act but expect exception
SslContextFactory sslContextFactory = testServer.createSslContextFactory()
}
@Test
void testCreateSslContextFactoryWithCipherSuites() throws Exception {
// Arrange
NiFiRegistryProperties properties = new NiFiRegistryProperties()
properties.setProperty(NiFiRegistryProperties.SECURITY_TRUSTSTORE, "src/test/resources/truststore.jks")
properties.setProperty(NiFiRegistryProperties.SECURITY_TRUSTSTORE_PASSWD, truststorePassword)
properties.setProperty(NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE, "JKS")
properties.setProperty(NiFiRegistryProperties.SECURITY_KEYSTORE, "src/test/resources/keystoreSamePassword.jks")
properties.setProperty(NiFiRegistryProperties.SECURITY_KEYSTORE_PASSWD, matchingPassword)
properties.setProperty(NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE, "JKS")
properties.setProperty(NiFiRegistryProperties.WEB_HTTPS_CIPHERSUITES_INCLUDE, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
properties.setProperty(NiFiRegistryProperties.WEB_HTTPS_CIPHERSUITES_EXCLUDE, "BAD_CIPHER")
Server internalServer = new Server()
JettyServer testServer = new JettyServer(internalServer, properties)
// Act
SslContextFactory sslContextFactory = testServer.createSslContextFactory()
sslContextFactory.start()
// Assert this
assertNotNull(sslContextFactory)
assertNotNull(sslContextFactory.getSslContext())
assertEquals("INCLUDE_CIPHER_SUITES", sslContextFactory.getIncludeCipherSuites(), ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"])
assertEquals("EXCLUDE_CIPHER_SUITES", sslContextFactory.getExcludeCipherSuites(), ["BAD_CIPHER"])
}
}

10
nifi-registry/nifi-registry-core/nifi-registry-properties/src/main/java/org/apache/nifi/registry/properties/NiFiRegistryProperties.java
View File

@ -51,6 +51,8 @@ public class NiFiRegistryProperties extends ApplicationProperties {
public static final String WEB_HTTP_HOST = "nifi.registry.web.http.host";
public static final String WEB_HTTPS_PORT = "nifi.registry.web.https.port";
public static final String WEB_HTTPS_HOST = "nifi.registry.web.https.host";
public static final String WEB_HTTPS_CIPHERSUITES_INCLUDE = "nifi.registry.web.https.ciphersuites.include";
public static final String WEB_HTTPS_CIPHERSUITES_EXCLUDE = "nifi.registry.web.https.ciphersuites.exclude";
public static final String WEB_WORKING_DIR = "nifi.registry.web.jetty.working.directory";
public static final String WEB_THREADS = "nifi.registry.web.jetty.threads";
public static final String WEB_SHOULD_SEND_SERVER_VERSION = "nifi.registry.web.should.send.server.version";
@ -174,6 +176,14 @@ public class NiFiRegistryProperties extends ApplicationProperties {
return getProperty(WEB_HTTPS_HOST);
}
public String getHttpsCipherSuitesInclude() {
return getProperty(WEB_HTTPS_CIPHERSUITES_INCLUDE);
}
public String getHttpsCipherSuitesExclude() {
return getProperty(WEB_HTTPS_CIPHERSUITES_EXCLUDE);
}
public boolean getNeedClientAuth() {
boolean needClientAuth = true;
String rawNeedClientAuth = getProperty(SECURITY_NEED_CLIENT_AUTH);