Examples with HttpsEnabler io.cdap.cdap.common.security.HttpsEnabler used on opensource projects

Example 1 with HttpsEnabler

use of io.cdap.cdap.common.security.HttpsEnabler in project cdap by caskdata.

the class MonitorHandlerTest method openURL.

private HttpURLConnection openURL(String path, HttpMethod method) throws IOException {
    HttpURLConnection urlConn = (HttpURLConnection) createURL(path).openConnection();
    if (urlConn instanceof HttpsURLConnection) {
        new HttpsEnabler().setTrustAll(true).enable((HttpsURLConnection) urlConn);
    }
    urlConn.setRequestMethod(method.name());
    return urlConn;
}

Example 2 with HttpsEnabler

use of io.cdap.cdap.common.security.HttpsEnabler in project cdap by caskdata.

the class NettyRouter method createServerBootstrap.

private ServerBootstrap createServerBootstrap(final ChannelGroup channelGroup) {
    EventLoopGroup bossGroup = createEventLoopGroup(serverBossThreadPoolSize, "router-server-boss-thread-%d");
    EventLoopGroup workerGroup = createEventLoopGroup(serverWorkerThreadPoolSize, "router-server-worker-thread-%d");
    SSLHandlerFactory sslHandlerFactory = null;
    if (sslEnabled) {
        // We support both JKS keystore format and PEM cert file.
        String keyStorePath = sConf.get(Constants.Security.Router.SSL_KEYSTORE_PATH);
        String certFilePath = cConf.get(Constants.Security.Router.SSL_CERT_PATH);
        if (!Strings.isNullOrEmpty(keyStorePath)) {
            SSLConfig sslConfig = SSLConfig.builder(new File(keyStorePath), sConf.get(Constants.Security.Router.SSL_KEYSTORE_PASSWORD)).setCertificatePassword(sConf.get(Constants.Security.Router.SSL_KEYPASSWORD)).build();
            sslHandlerFactory = new SSLHandlerFactory(sslConfig);
        } else if (!Strings.isNullOrEmpty(certFilePath)) {
            String password = sConf.get(Constants.Security.Router.SSL_CERT_PASSWORD, "");
            KeyStore keyStore = KeyStores.createKeyStore(Paths.get(certFilePath), password);
            sslHandlerFactory = new HttpsEnabler().setKeyStore(keyStore, password::toCharArray).createSSLHandlerFactory();
        }
        if (sslHandlerFactory == null) {
            throw new RuntimeException("SSL is enabled but there is no keystore file nor certificate file being " + "configured. Please ensure either '" + Constants.Security.Router.SSL_KEYSTORE_PATH + "' is set in cdap-security.xml or '" + Constants.Security.Router.SSL_CERT_PATH + "' is set in cdap-site.xml file.");
        }
    }
    SSLHandlerFactory finalSSLHandlerFactory = sslHandlerFactory;
    return new ServerBootstrap().group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, serverConnectionBacklog).childHandler(new ChannelInitializer<SocketChannel>() {

        @Override
        protected void initChannel(SocketChannel ch) {
            channelGroup.add(ch);
            ChannelPipeline pipeline = ch.pipeline();
            if (finalSSLHandlerFactory != null) {
                pipeline.addLast("ssl", finalSSLHandlerFactory.create(ch.alloc()));
            }
            pipeline.addLast("http-codec", new HttpServerCodec());
            pipeline.addLast("http-status-request-handler", new HttpStatusRequestHandler());
            if (securityEnabled) {
                pipeline.addLast("access-token-authenticator", new AuthenticationHandler(cConf, sConf, discoveryServiceClient, userIdentityExtractor));
            }
            if (cConf.getBoolean(Constants.Router.ROUTER_AUDIT_LOG_ENABLED)) {
                pipeline.addLast("audit-log", new AuditLogHandler());
            }
            // Will block inbound requests if config for blocking the requests is enabled
            pipeline.addLast("config-based-request-blocking-handler", new ConfigBasedRequestBlockingHandler(cConf));
            // Always let the client to continue sending the request body after the authentication passed
            pipeline.addLast("expect-continue", new HttpServerExpectContinueHandler());
            // for now there's only one hardcoded rule, but if there will be more, we may want it generic and configurable
            pipeline.addLast("http-request-handler", new HttpRequestRouter(cConf, serviceLookup));
        }
    });
}

Example 3 with HttpsEnabler

use of io.cdap.cdap.common.security.HttpsEnabler in project cdap by caskdata.

the class RuntimeServiceRoutingHandler method openConnection.

/**
 * Opens a {@link HttpURLConnection} to the given service for the given program run.
 *
 * @throws BadRequestException if the request for service routing is not valid
 */
private HttpURLConnection openConnection(HttpRequest request, String namespace, String app, String version, String programType, String program, String run, String service) throws BadRequestException {
    ApplicationId appId = new NamespaceId(namespace).app(app, version);
    ProgramRunId programRunId = new ProgramRunId(appId, ProgramType.valueOfCategoryName(programType, BadRequestException::new), program, run);
    requestValidator.getProgramRunStatus(programRunId, request);
    Discoverable discoverable = endpointStrategyLoadingCache.getUnchecked(service).pick(2, TimeUnit.SECONDS);
    if (discoverable == null) {
        throw new ServiceUnavailableException(service);
    }
    String prefix = String.format("%s/runtime/namespaces/%s/apps/%s/versions/%s/%s/%s/runs/%s/services/%s", Constants.Gateway.INTERNAL_API_VERSION_3, namespace, app, version, programType, program, run, service);
    URI uri = URIScheme.createURI(discoverable, request.uri().substring(prefix.length()));
    try {
        URL url = uri.toURL();
        HttpURLConnection urlConn;
        try {
            urlConn = (HttpURLConnection) url.openConnection();
        } catch (IOException e) {
            // If fail to open the connection, treat it as service unavailable so that the client can retry
            throw new ServiceUnavailableException(service);
        }
        if (urlConn instanceof HttpsURLConnection) {
            new HttpsEnabler().setTrustAll(true).enable((HttpsURLConnection) urlConn);
        }
        for (Map.Entry<String, String> header : request.headers().entries()) {
            urlConn.setRequestProperty(header.getKey(), header.getValue());
        }
        urlConn.setRequestMethod(request.method().name());
        urlConn.setDoInput(true);
        return urlConn;
    } catch (MalformedURLException | ProtocolException e) {
        // This can only happen if the incoming request is bad
        throw new BadRequestException("Invalid request due to " + e.getMessage(), e);
    }
}

Example 4 with HttpsEnabler

use of io.cdap.cdap.common.security.HttpsEnabler in project cdap by caskdata.

the class ExternalMTLSAuthenticationServerTest method openConnection.

private HttpsURLConnection openConnection(URL url, String keyStoreResource) throws Exception {
    HttpsURLConnection urlConn = (HttpsURLConnection) super.openConnection(url);
    URL clientKeystoreURL = ExternalMTLSAuthenticationServerTest.class.getClassLoader().getResource(keyStoreResource);
    Assert.assertNotNull(clientKeystoreURL);
    KeyStore ks = KeyStore.getInstance("JKS");
    try (InputStream is = clientKeystoreURL.openConnection().getInputStream()) {
        ks.load(is, "secret".toCharArray());
    }
    return new HttpsEnabler().setKeyStore(ks, () -> configuration.get("security.auth.server.ssl.keystore.password", "secret").toCharArray()).setTrustAll(true).enable(urlConn);
}

Example 5 with HttpsEnabler

use of io.cdap.cdap.common.security.HttpsEnabler in project cdap by caskdata.

the class AppFabricServer method startUp.

/**
 * Configures the AppFabricService pre-start.
 */
@Override
protected void startUp() throws Exception {
    LoggingContextAccessor.setLoggingContext(new ServiceLoggingContext(NamespaceId.SYSTEM.getNamespace(), Constants.Logging.COMPONENT_NAME, Constants.Service.APP_FABRIC_HTTP));
    Futures.allAsList(ImmutableList.of(provisioningService.start(), applicationLifecycleService.start(), bootstrapService.start(), programRuntimeService.start(), programNotificationSubscriberService.start(), runRecordCorrectorService.start(), coreSchedulerService.start(), eventPublishManager.start(), runRecordCounterService.start())).get();
    // Create handler hooks
    List<MetricsReporterHook> handlerHooks = handlerHookNames.stream().map(name -> new MetricsReporterHook(metricsCollectionService, name)).collect(Collectors.toList());
    // Run http service on random port
    NettyHttpService.Builder httpServiceBuilder = new CommonNettyHttpServiceBuilder(cConf, Constants.Service.APP_FABRIC_HTTP).setHost(hostname.getCanonicalHostName()).setHandlerHooks(handlerHooks).setHttpHandlers(handlers).setConnectionBacklog(cConf.getInt(Constants.AppFabric.BACKLOG_CONNECTIONS, Constants.AppFabric.DEFAULT_BACKLOG)).setExecThreadPoolSize(cConf.getInt(Constants.AppFabric.EXEC_THREADS, Constants.AppFabric.DEFAULT_EXEC_THREADS)).setBossThreadPoolSize(cConf.getInt(Constants.AppFabric.BOSS_THREADS, Constants.AppFabric.DEFAULT_BOSS_THREADS)).setWorkerThreadPoolSize(cConf.getInt(Constants.AppFabric.WORKER_THREADS, Constants.AppFabric.DEFAULT_WORKER_THREADS)).setPort(cConf.getInt(Constants.AppFabric.SERVER_PORT));
    if (sslEnabled) {
        new HttpsEnabler().configureKeyStore(cConf, sConf).enable(httpServiceBuilder);
    }
    cancelHttpService = startHttpService(httpServiceBuilder.build());
    long applicationCount = TransactionRunners.run(transactionRunner, (TxCallable<Long>) context -> AppMetadataStore.create(context).getApplicationCount());
    long namespaceCount = new DefaultNamespaceStore(transactionRunner).getNamespaceCount();
    metricsCollectionService.getContext(Collections.emptyMap()).gauge(Constants.Metrics.Program.APPLICATION_COUNT, applicationCount);
    metricsCollectionService.getContext(Collections.emptyMap()).gauge(Constants.Metrics.Program.NAMESPACE_COUNT, namespaceCount);
}