use of io.cdap.http.SSLConfig in project cdap by caskdata.
the class NettyRouter method createServerBootstrap.
private ServerBootstrap createServerBootstrap(final ChannelGroup channelGroup) {
EventLoopGroup bossGroup = createEventLoopGroup(serverBossThreadPoolSize, "router-server-boss-thread-%d");
EventLoopGroup workerGroup = createEventLoopGroup(serverWorkerThreadPoolSize, "router-server-worker-thread-%d");
SSLHandlerFactory sslHandlerFactory = null;
if (sslEnabled) {
// We support both JKS keystore format and PEM cert file.
String keyStorePath = sConf.get(Constants.Security.Router.SSL_KEYSTORE_PATH);
String certFilePath = cConf.get(Constants.Security.Router.SSL_CERT_PATH);
if (!Strings.isNullOrEmpty(keyStorePath)) {
SSLConfig sslConfig = SSLConfig.builder(new File(keyStorePath), sConf.get(Constants.Security.Router.SSL_KEYSTORE_PASSWORD)).setCertificatePassword(sConf.get(Constants.Security.Router.SSL_KEYPASSWORD)).build();
sslHandlerFactory = new SSLHandlerFactory(sslConfig);
} else if (!Strings.isNullOrEmpty(certFilePath)) {
String password = sConf.get(Constants.Security.Router.SSL_CERT_PASSWORD, "");
KeyStore keyStore = KeyStores.createKeyStore(Paths.get(certFilePath), password);
sslHandlerFactory = new HttpsEnabler().setKeyStore(keyStore, password::toCharArray).createSSLHandlerFactory();
}
if (sslHandlerFactory == null) {
throw new RuntimeException("SSL is enabled but there is no keystore file nor certificate file being " + "configured. Please ensure either '" + Constants.Security.Router.SSL_KEYSTORE_PATH + "' is set in cdap-security.xml or '" + Constants.Security.Router.SSL_CERT_PATH + "' is set in cdap-site.xml file.");
}
}
SSLHandlerFactory finalSSLHandlerFactory = sslHandlerFactory;
return new ServerBootstrap().group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, serverConnectionBacklog).childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
channelGroup.add(ch);
ChannelPipeline pipeline = ch.pipeline();
if (finalSSLHandlerFactory != null) {
pipeline.addLast("ssl", finalSSLHandlerFactory.create(ch.alloc()));
}
pipeline.addLast("http-codec", new HttpServerCodec());
pipeline.addLast("http-status-request-handler", new HttpStatusRequestHandler());
if (securityEnabled) {
pipeline.addLast("access-token-authenticator", new AuthenticationHandler(cConf, sConf, discoveryServiceClient, userIdentityExtractor));
}
if (cConf.getBoolean(Constants.Router.ROUTER_AUDIT_LOG_ENABLED)) {
pipeline.addLast("audit-log", new AuditLogHandler());
}
// Will block inbound requests if config for blocking the requests is enabled
pipeline.addLast("config-based-request-blocking-handler", new ConfigBasedRequestBlockingHandler(cConf));
// Always let the client to continue sending the request body after the authentication passed
pipeline.addLast("expect-continue", new HttpServerExpectContinueHandler());
// for now there's only one hardcoded rule, but if there will be more, we may want it generic and configurable
pipeline.addLast("http-request-handler", new HttpRequestRouter(cConf, serviceLookup));
}
});
}
Aggregations