Skip to content

Commit

Permalink
[Broker] Fix config ciphers and protocols to web server
Browse files Browse the repository at this point in the history 
Signed-off-by: Zixuan Liu <[email protected]>
  • Loading branch information
@nodece
nodece committed Jan 13, 2022
1 parent 4dcb166 commit 3a027f5
Show file tree
Hide file tree
Showing 7 changed files with 151 additions and 95 deletions.
16 changes: 11 additions & 5 deletions pulsar-broker/src/main/java/org/apache/pulsar/broker/web/WebService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
import org.apache.pulsar.broker.PulsarServerException;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.jetty.JettySslContextFactory;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
Expand Down Expand Up @@ -109,17 +109,23 @@ public WebService(PulsarService pulsar) throws PulsarServerException {
config.getTlsTrustStore(),
config.getTlsTrustStorePassword(),
config.isTlsRequireTrustedClientCertOnConnect(),
config.getWebServiceTlsCiphers(),
config.getWebServiceTlsProtocols(),
config.getWebServiceTlsCiphers() != null ? config.getWebServiceTlsCiphers() :
config.getTlsCiphers(),
config.getWebServiceTlsProtocols() != null ? config.getWebServiceTlsProtocols() :
config.getTlsCiphers(),
config.getTlsCertRefreshCheckDurationSec()
);
} else {
sslCtxFactory = SecurityUtility.createSslContextFactory(
sslCtxFactory = JettySslContextFactory.createServerSslContext(
config.isTlsAllowInsecureConnection(),
config.getTlsTrustCertsFilePath(),
config.getTlsCertificateFilePath(),
config.getTlsKeyFilePath(),
config.isTlsRequireTrustedClientCertOnConnect(), true,
config.isTlsRequireTrustedClientCertOnConnect(),
config.getWebServiceTlsCiphers() != null ? config.getWebServiceTlsCiphers() :
config.getTlsCiphers(),
config.getWebServiceTlsProtocols() != null ? config.getWebServiceTlsProtocols() :
config.getTlsCiphers(),
config.getTlsCertRefreshCheckDurationSec());
}
httpsConnector = new PulsarServerConnector(server, 1, 1, sslCtxFactory);
Expand Down
48 changes: 0 additions & 48 deletions pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -517,52 +517,4 @@ private static void setupClientAuthentication(SslContextBuilder builder,
builder.clientAuth(ClientAuth.OPTIONAL);
}
}

public static SslContextFactory createSslContextFactory(boolean tlsAllowInsecureConnection,
String tlsTrustCertsFilePath, String tlsCertificateFilePath, String tlsKeyFilePath,
boolean tlsRequireTrustedClientCertOnConnect, boolean autoRefresh, long certRefreshInSec)
throws GeneralSecurityException, SSLException, FileNotFoundException, IOException {
SslContextFactory sslCtxFactory = null;
if (autoRefresh) {
sslCtxFactory = new SslContextFactoryWithAutoRefresh(tlsAllowInsecureConnection, tlsTrustCertsFilePath,
tlsCertificateFilePath, tlsKeyFilePath, tlsRequireTrustedClientCertOnConnect, 0);
} else {
sslCtxFactory = new SslContextFactory();
SSLContext sslCtx = createSslContext(tlsAllowInsecureConnection, tlsTrustCertsFilePath,
tlsCertificateFilePath, tlsKeyFilePath);
sslCtxFactory.setSslContext(sslCtx);
}
if (tlsRequireTrustedClientCertOnConnect) {
sslCtxFactory.setNeedClientAuth(true);
} else {
sslCtxFactory.setWantClientAuth(true);
}
sslCtxFactory.setTrustAll(true);
return sslCtxFactory;
}

/**
* {@link SslContextFactory} that auto-refresh SSLContext.
*/
static class SslContextFactoryWithAutoRefresh extends SslContextFactory {

private final DefaultSslContextBuilder sslCtxRefresher;

public SslContextFactoryWithAutoRefresh(boolean tlsAllowInsecureConnection, String tlsTrustCertsFilePath,
String tlsCertificateFilePath, String tlsKeyFilePath, boolean tlsRequireTrustedClientCertOnConnect,
long certRefreshInSec)
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
super();
sslCtxRefresher = new DefaultSslContextBuilder(tlsAllowInsecureConnection, tlsTrustCertsFilePath,
tlsCertificateFilePath, tlsKeyFilePath, tlsRequireTrustedClientCertOnConnect, certRefreshInSec);
if (CONSCRYPT_PROVIDER != null) {
setProvider(CONSCRYPT_PROVIDER.getName());
}
}

@Override
public SSLContext getSslContext() {
return sslCtxRefresher.get();
}
}
}
112 changes: 112 additions & 0 deletions pulsar-common/src/main/java/org/apache/pulsar/common/util/jetty/JettySslContextFactory.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.pulsar.common.util.jetty;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Set;
import javax.net.ssl.SSLContext;
import org.apache.pulsar.common.util.DefaultSslContextBuilder;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
import org.apache.pulsar.common.util.keystoretls.NetSslContextBuilder;
import org.eclipse.jetty.util.ssl.SslContextFactory;

public class JettySslContextFactory {
public static SslContextFactory.Server createServerSslContextWithKeystore(String sslProviderString,
String keyStoreTypeString,
String keyStore,
String keyStorePassword,
boolean allowInsecureConnection,
String trustStoreTypeString,
String trustStore,
String trustStorePassword,
boolean requireTrustedClientCertOnConnect,
Set<String> ciphers,
Set<String> protocols,
long certRefreshInSec){
NetSslContextBuilder sslCtxRefresher = new NetSslContextBuilder(
sslProviderString,
keyStoreTypeString,
keyStore,
keyStorePassword,
allowInsecureConnection,
trustStoreTypeString,
trustStore,
trustStorePassword,
requireTrustedClientCertOnConnect,
certRefreshInSec);

return new Server(sslProviderString, sslCtxRefresher, requireTrustedClientCertOnConnect, ciphers, protocols);
}

public static SslContextFactory createServerSslContext(boolean tlsAllowInsecureConnection,
String tlsTrustCertsFilePath,
String tlsCertificateFilePath,
String tlsKeyFilePath,
boolean tlsRequireTrustedClientCertOnConnect,
Set<String> ciphers,
Set<String> protocols,
long certRefreshInSec)
throws GeneralSecurityException, IOException {
DefaultSslContextBuilder sslCtxRefresher =
new DefaultSslContextBuilder(tlsAllowInsecureConnection, tlsTrustCertsFilePath,
tlsCertificateFilePath, tlsKeyFilePath, tlsRequireTrustedClientCertOnConnect, certRefreshInSec);

return new Server(null, sslCtxRefresher, tlsRequireTrustedClientCertOnConnect, ciphers, protocols);
}

private static class Server extends SslContextFactory.Server {
private final SslContextAutoRefreshBuilder<SSLContext> sslCtxRefresher;

public Server(String sslProviderString, SslContextAutoRefreshBuilder<SSLContext> sslCtxRefresher,
boolean requireTrustedClientCertOnConnect, Set<String> ciphers, Set<String> protocols) {
super();
this.sslCtxRefresher = sslCtxRefresher;

if (ciphers != null && ciphers.size() > 0) {
this.setIncludeCipherSuites(ciphers.toArray(new String[0]));
}

if (protocols != null && protocols.size() > 0) {
this.setIncludeProtocols(protocols.toArray(new String[0]));
}

if (sslProviderString != null && !sslProviderString.equals("")) {
setProvider(sslProviderString);
} else {
if (SecurityUtility.CONSCRYPT_PROVIDER != null) {
setProvider(SecurityUtility.CONSCRYPT_PROVIDER.getName());
}
}

if (requireTrustedClientCertOnConnect) {
this.setNeedClientAuth(true);
} else {
this.setWantClientAuth(true);
}
this.setTrustAll(true);
}

@Override
public SSLContext getSslContext() {
return sslCtxRefresher.get();
}
}
}
24 changes: 4 additions & 20 deletions ...ar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.jetty.JettySslContextFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/**
Expand Down Expand Up @@ -352,16 +353,7 @@ public static SslContextFactory.Server createSslContextFactory(String sslProvide
Set<String> ciphers,
Set<String> protocols,
long certRefreshInSec) {
SslContextFactory.Server sslCtxFactory;

if (sslProviderString == null) {
Provider provider = SecurityUtility.CONSCRYPT_PROVIDER;
if (provider != null) {
sslProviderString = provider.getName();
}
}

sslCtxFactory = new JettySslContextFactoryWithAutoRefresh(
return JettySslContextFactory.createServerSslContextWithKeystore(
sslProviderString,
keyStoreTypeString,
keyStore,
Expand All @@ -373,16 +365,8 @@ public static SslContextFactory.Server createSslContextFactory(String sslProvide
requireTrustedClientCertOnConnect,
ciphers,
protocols,
certRefreshInSec);

if (requireTrustedClientCertOnConnect) {
sslCtxFactory.setNeedClientAuth(true);
} else {
sslCtxFactory.setWantClientAuth(true);
}
sslCtxFactory.setTrustAll(true);

return sslCtxFactory;
certRefreshInSec
);
}
}

20 changes: 9 additions & 11 deletions ...-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/WorkerServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,18 @@
package org.apache.pulsar.functions.worker.rest;

import io.prometheus.client.jetty.JettyStatisticsCollector;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.List;
import java.util.Optional;
import javax.servlet.DispatcherType;
import lombok.extern.slf4j.Slf4j;
import org.apache.pulsar.broker.authentication.AuthenticationService;
import org.apache.pulsar.broker.web.AuthenticationFilter;
import org.apache.pulsar.broker.web.RateLimitingFilter;
import org.apache.pulsar.broker.web.JettyRequestLogFactory;
import org.apache.pulsar.broker.web.RateLimitingFilter;
import org.apache.pulsar.broker.web.WebExecutorThreadPool;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.jetty.JettySslContextFactory;
import org.apache.pulsar.functions.worker.WorkerConfig;
import org.apache.pulsar.functions.worker.WorkerService;
import org.apache.pulsar.functions.worker.rest.api.v2.WorkerApiV2Resource;
Expand All @@ -45,13 +50,6 @@
import org.glassfish.jersey.server.ResourceConfig;
import org.glassfish.jersey.servlet.ServletContainer;

import java.util.ArrayList;
import java.util.EnumSet;
import java.util.List;
import java.util.Optional;

import javax.servlet.DispatcherType;

@Slf4j
public class WorkerServer {

Expand Down Expand Up @@ -122,11 +120,11 @@ private void init() {

if (this.workerConfig.getTlsEnabled()) {
try {
SslContextFactory sslCtxFactory = SecurityUtility.createSslContextFactory(
SslContextFactory sslCtxFactory = JettySslContextFactory.createServerSslContext(
this.workerConfig.isTlsAllowInsecureConnection(), this.workerConfig.getTlsTrustCertsFilePath(),
this.workerConfig.getTlsCertificateFilePath(), this.workerConfig.getTlsKeyFilePath(),
this.workerConfig.isTlsRequireTrustedClientCertOnConnect(),
true,
null, null,
this.workerConfig.getTlsCertRefreshCheckDurationSec());
httpsConnector = new ServerConnector(server, 1, 1, sslCtxFactory);
httpsConnector.setPort(this.workerConfig.getWorkerPortTls());
Expand Down
15 changes: 10 additions & 5 deletions pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/WebServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
import org.apache.pulsar.broker.web.JsonMapperProvider;
import org.apache.pulsar.broker.web.RateLimitingFilter;
import org.apache.pulsar.broker.web.WebExecutorThreadPool;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.jetty.JettySslContextFactory;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
Expand Down Expand Up @@ -108,18 +108,23 @@ public WebServer(ProxyConfiguration config, AuthenticationService authentication
config.getTlsTrustStore(),
config.getTlsTrustStorePassword(),
config.isTlsRequireTrustedClientCertOnConnect(),
config.getWebServiceTlsCiphers(),
config.getWebServiceTlsProtocols(),
config.getWebServiceTlsCiphers() != null ? config.getWebServiceTlsCiphers() :
config.getTlsCiphers(),
config.getWebServiceTlsProtocols() != null ? config.getWebServiceTlsProtocols() :
config.getTlsCiphers(),
config.getTlsCertRefreshCheckDurationSec()
);
} else {
sslCtxFactory = SecurityUtility.createSslContextFactory(
sslCtxFactory = JettySslContextFactory.createServerSslContext(
config.isTlsAllowInsecureConnection(),
config.getTlsTrustCertsFilePath(),
config.getTlsCertificateFilePath(),
config.getTlsKeyFilePath(),
config.isTlsRequireTrustedClientCertOnConnect(),
true,
config.getWebServiceTlsCiphers() != null ? config.getWebServiceTlsCiphers() :
config.getTlsCiphers(),
config.getWebServiceTlsProtocols() != null ? config.getWebServiceTlsProtocols() :
config.getTlsCiphers(),
config.getTlsCertRefreshCheckDurationSec());
}
connectorTls = new ServerConnector(server, 1, 1, sslCtxFactory);
Expand Down
11 changes: 5 additions & 6 deletions pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/ProxyServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,16 @@
import java.util.Arrays;
import java.util.List;
import java.util.Optional;

import java.util.stream.Collectors;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.websocket.DeploymentException;

import org.apache.pulsar.broker.PulsarServerException;
import org.apache.pulsar.broker.web.JsonMapperProvider;
import org.apache.pulsar.broker.web.JettyRequestLogFactory;
import org.apache.pulsar.broker.web.JsonMapperProvider;
import org.apache.pulsar.broker.web.WebExecutorThreadPool;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.jetty.JettySslContextFactory;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
Expand Down Expand Up @@ -74,13 +72,14 @@ public ProxyServer(WebSocketProxyConfiguration config)
// TLS enabled connector
if (config.getWebServicePortTls().isPresent()) {
try {
SslContextFactory sslCtxFactory = SecurityUtility.createSslContextFactory(
SslContextFactory sslCtxFactory = JettySslContextFactory.createServerSslContext(
config.isTlsAllowInsecureConnection(),
config.getTlsTrustCertsFilePath(),
config.getTlsCertificateFilePath(),
config.getTlsKeyFilePath(),
config.isTlsRequireTrustedClientCertOnConnect(),
true,
null,
null,
config.getTlsCertRefreshCheckDurationSec());
connectorTls = new ServerConnector(server, -1, -1, sslCtxFactory);
connectorTls.setPort(config.getWebServicePortTls().get());
Expand Down

0 comments on commit 3a027f5

Please sign in to comment.