Search in sources :

Example 1 with SSLHandlerFactory

use of io.cdap.http.SSLHandlerFactory in project cdap by caskdata.

the class NettyRouter method createServerBootstrap.

private ServerBootstrap createServerBootstrap(final ChannelGroup channelGroup) {
    EventLoopGroup bossGroup = createEventLoopGroup(serverBossThreadPoolSize, "router-server-boss-thread-%d");
    EventLoopGroup workerGroup = createEventLoopGroup(serverWorkerThreadPoolSize, "router-server-worker-thread-%d");
    SSLHandlerFactory sslHandlerFactory = null;
    if (sslEnabled) {
        // We support both JKS keystore format and PEM cert file.
        String keyStorePath = sConf.get(Constants.Security.Router.SSL_KEYSTORE_PATH);
        String certFilePath = cConf.get(Constants.Security.Router.SSL_CERT_PATH);
        if (!Strings.isNullOrEmpty(keyStorePath)) {
            SSLConfig sslConfig = SSLConfig.builder(new File(keyStorePath), sConf.get(Constants.Security.Router.SSL_KEYSTORE_PASSWORD)).setCertificatePassword(sConf.get(Constants.Security.Router.SSL_KEYPASSWORD)).build();
            sslHandlerFactory = new SSLHandlerFactory(sslConfig);
        } else if (!Strings.isNullOrEmpty(certFilePath)) {
            String password = sConf.get(Constants.Security.Router.SSL_CERT_PASSWORD, "");
            KeyStore keyStore = KeyStores.createKeyStore(Paths.get(certFilePath), password);
            sslHandlerFactory = new HttpsEnabler().setKeyStore(keyStore, password::toCharArray).createSSLHandlerFactory();
        }
        if (sslHandlerFactory == null) {
            throw new RuntimeException("SSL is enabled but there is no keystore file nor certificate file being " + "configured. Please ensure either '" + Constants.Security.Router.SSL_KEYSTORE_PATH + "' is set in cdap-security.xml or '" + Constants.Security.Router.SSL_CERT_PATH + "' is set in cdap-site.xml file.");
        }
    }
    SSLHandlerFactory finalSSLHandlerFactory = sslHandlerFactory;
    return new ServerBootstrap().group(bossGroup, workerGroup).channel(NioServerSocketChannel.class).option(ChannelOption.SO_BACKLOG, serverConnectionBacklog).childHandler(new ChannelInitializer<SocketChannel>() {

        @Override
        protected void initChannel(SocketChannel ch) {
            channelGroup.add(ch);
            ChannelPipeline pipeline = ch.pipeline();
            if (finalSSLHandlerFactory != null) {
                pipeline.addLast("ssl", finalSSLHandlerFactory.create(ch.alloc()));
            }
            pipeline.addLast("http-codec", new HttpServerCodec());
            pipeline.addLast("http-status-request-handler", new HttpStatusRequestHandler());
            if (securityEnabled) {
                pipeline.addLast("access-token-authenticator", new AuthenticationHandler(cConf, sConf, discoveryServiceClient, userIdentityExtractor));
            }
            if (cConf.getBoolean(Constants.Router.ROUTER_AUDIT_LOG_ENABLED)) {
                pipeline.addLast("audit-log", new AuditLogHandler());
            }
            // Will block inbound requests if config for blocking the requests is enabled
            pipeline.addLast("config-based-request-blocking-handler", new ConfigBasedRequestBlockingHandler(cConf));
            // Always let the client to continue sending the request body after the authentication passed
            pipeline.addLast("expect-continue", new HttpServerExpectContinueHandler());
            // for now there's only one hardcoded rule, but if there will be more, we may want it generic and configurable
            pipeline.addLast("http-request-handler", new HttpRequestRouter(cConf, serviceLookup));
        }
    });
}
Also used : SSLConfig(io.cdap.http.SSLConfig) SocketChannel(io.netty.channel.socket.SocketChannel) NioServerSocketChannel(io.netty.channel.socket.nio.NioServerSocketChannel) ConfigBasedRequestBlockingHandler(io.cdap.cdap.gateway.router.handlers.ConfigBasedRequestBlockingHandler) HttpServerExpectContinueHandler(io.netty.handler.codec.http.HttpServerExpectContinueHandler) KeyStore(java.security.KeyStore) ServerBootstrap(io.netty.bootstrap.ServerBootstrap) ChannelPipeline(io.netty.channel.ChannelPipeline) HttpRequestRouter(io.cdap.cdap.gateway.router.handlers.HttpRequestRouter) HttpStatusRequestHandler(io.cdap.cdap.gateway.router.handlers.HttpStatusRequestHandler) NioEventLoopGroup(io.netty.channel.nio.NioEventLoopGroup) EventLoopGroup(io.netty.channel.EventLoopGroup) AuditLogHandler(io.cdap.cdap.gateway.router.handlers.AuditLogHandler) HttpServerCodec(io.netty.handler.codec.http.HttpServerCodec) HttpsEnabler(io.cdap.cdap.common.security.HttpsEnabler) AuthenticationHandler(io.cdap.cdap.gateway.router.handlers.AuthenticationHandler) SSLHandlerFactory(io.cdap.http.SSLHandlerFactory) File(java.io.File)

Aggregations

HttpsEnabler (io.cdap.cdap.common.security.HttpsEnabler)1 AuditLogHandler (io.cdap.cdap.gateway.router.handlers.AuditLogHandler)1 AuthenticationHandler (io.cdap.cdap.gateway.router.handlers.AuthenticationHandler)1 ConfigBasedRequestBlockingHandler (io.cdap.cdap.gateway.router.handlers.ConfigBasedRequestBlockingHandler)1 HttpRequestRouter (io.cdap.cdap.gateway.router.handlers.HttpRequestRouter)1 HttpStatusRequestHandler (io.cdap.cdap.gateway.router.handlers.HttpStatusRequestHandler)1 SSLConfig (io.cdap.http.SSLConfig)1 SSLHandlerFactory (io.cdap.http.SSLHandlerFactory)1 ServerBootstrap (io.netty.bootstrap.ServerBootstrap)1 ChannelPipeline (io.netty.channel.ChannelPipeline)1 EventLoopGroup (io.netty.channel.EventLoopGroup)1 NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)1 SocketChannel (io.netty.channel.socket.SocketChannel)1 NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)1 HttpServerCodec (io.netty.handler.codec.http.HttpServerCodec)1 HttpServerExpectContinueHandler (io.netty.handler.codec.http.HttpServerExpectContinueHandler)1 File (java.io.File)1 KeyStore (java.security.KeyStore)1