Examples with SslEngineFactory org.apache.kafka.common.security.auth.SslEngineFactory used on opensource projects

Example 1 with SslEngineFactory

use of org.apache.kafka.common.security.auth.SslEngineFactory in project kafka by apache.

the class SslFactory method configure.

@SuppressWarnings("unchecked")
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
    if (sslEngineFactory != null) {
        throw new IllegalStateException("SslFactory was already configured.");
    }
    this.endpointIdentification = (String) configs.get(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
    // The input map must be a mutable RecordingMap in production.
    Map<String, Object> nextConfigs = (Map<String, Object>) configs;
    if (clientAuthConfigOverride != null) {
        nextConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, clientAuthConfigOverride);
    }
    SslEngineFactory builder = instantiateSslEngineFactory(nextConfigs);
    if (keystoreVerifiableUsingTruststore) {
        try {
            SslEngineValidator.validate(builder, builder);
        } catch (Exception e) {
            throw new ConfigException("A client SSLEngine created with the provided settings " + "can't connect to a server SSLEngine created with those settings.", e);
        }
    }
    this.sslEngineFactory = builder;
}

Example 2 with SslEngineFactory

use of org.apache.kafka.common.security.auth.SslEngineFactory in project kafka by apache.

the class SslFactoryTest method testReconfiguration.

@Test
public void testReconfiguration() throws Exception {
    File trustStoreFile = File.createTempFile("truststore", ".jks");
    Map<String, Object> sslConfig = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(trustStoreFile).build();
    SslFactory sslFactory = new SslFactory(Mode.SERVER);
    sslFactory.configure(sslConfig);
    SslEngineFactory sslEngineFactory = sslFactory.sslEngineFactory();
    assertNotNull(sslEngineFactory, "SslEngineFactory not created");
    // Verify that SslEngineFactory is not recreated on reconfigure() if config and
    // file are not changed
    sslFactory.reconfigure(sslConfig);
    assertSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory recreated unnecessarily");
    // Verify that the SslEngineFactory is recreated on reconfigure() if config is changed
    trustStoreFile = File.createTempFile("truststore", ".jks");
    sslConfig = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(trustStoreFile).build();
    sslFactory.reconfigure(sslConfig);
    assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
    sslEngineFactory = sslFactory.sslEngineFactory();
    // Verify that builder is recreated on reconfigure() if config is not changed, but truststore file was modified
    trustStoreFile.setLastModified(System.currentTimeMillis() + 10000);
    sslFactory.reconfigure(sslConfig);
    assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
    sslEngineFactory = sslFactory.sslEngineFactory();
    // Verify that builder is recreated on reconfigure() if config is not changed, but keystore file was modified
    File keyStoreFile = new File((String) sslConfig.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG));
    keyStoreFile.setLastModified(System.currentTimeMillis() + 10000);
    sslFactory.reconfigure(sslConfig);
    assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
    sslEngineFactory = sslFactory.sslEngineFactory();
    // Verify that builder is recreated after validation on reconfigure() if config is not changed, but keystore file was modified
    keyStoreFile.setLastModified(System.currentTimeMillis() + 15000);
    sslFactory.validateReconfiguration(sslConfig);
    sslFactory.reconfigure(sslConfig);
    assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
    sslEngineFactory = sslFactory.sslEngineFactory();
    // Verify that the builder is not recreated if modification time cannot be determined
    keyStoreFile.setLastModified(System.currentTimeMillis() + 20000);
    Files.delete(keyStoreFile.toPath());
    sslFactory.reconfigure(sslConfig);
    assertSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory recreated unnecessarily");
}

Example 3 with SslEngineFactory

use of org.apache.kafka.common.security.auth.SslEngineFactory in project kafka by apache.

the class SslFactory method createNewSslEngineFactory.

private SslEngineFactory createNewSslEngineFactory(Map<String, ?> newConfigs) {
    if (sslEngineFactory == null) {
        throw new IllegalStateException("SslFactory has not been configured.");
    }
    Map<String, Object> nextConfigs = new HashMap<>(sslEngineFactoryConfig);
    copyMapEntries(nextConfigs, newConfigs, reconfigurableConfigs());
    if (clientAuthConfigOverride != null) {
        nextConfigs.put(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG, clientAuthConfigOverride);
    }
    if (!sslEngineFactory.shouldBeRebuilt(nextConfigs)) {
        return sslEngineFactory;
    }
    try {
        SslEngineFactory newSslEngineFactory = instantiateSslEngineFactory(nextConfigs);
        if (sslEngineFactory.keystore() == null) {
            if (newSslEngineFactory.keystore() != null) {
                throw new ConfigException("Cannot add SSL keystore to an existing listener for " + "which no keystore was configured.");
            }
        } else {
            if (newSslEngineFactory.keystore() == null) {
                throw new ConfigException("Cannot remove the SSL keystore from an existing listener for " + "which a keystore was configured.");
            }
            CertificateEntries.ensureCompatible(newSslEngineFactory.keystore(), sslEngineFactory.keystore());
        }
        if (sslEngineFactory.truststore() == null && newSslEngineFactory.truststore() != null) {
            throw new ConfigException("Cannot add SSL truststore to an existing listener for which no " + "truststore was configured.");
        }
        if (keystoreVerifiableUsingTruststore) {
            if (sslEngineFactory.truststore() != null || sslEngineFactory.keystore() != null) {
                SslEngineValidator.validate(sslEngineFactory, newSslEngineFactory);
            }
        }
        return newSslEngineFactory;
    } catch (Exception e) {
        log.debug("Validation of dynamic config update of SSLFactory failed.", e);
        throw new ConfigException("Validation of dynamic config update of SSLFactory failed: " + e);
    }
}

Example 4 with SslEngineFactory

use of org.apache.kafka.common.security.auth.SslEngineFactory in project kafka by apache.

the class SslFactory method instantiateSslEngineFactory.

private SslEngineFactory instantiateSslEngineFactory(Map<String, Object> configs) {
    @SuppressWarnings("unchecked") Class<? extends SslEngineFactory> sslEngineFactoryClass = (Class<? extends SslEngineFactory>) configs.get(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG);
    SslEngineFactory sslEngineFactory;
    if (sslEngineFactoryClass == null) {
        sslEngineFactory = new DefaultSslEngineFactory();
    } else {
        sslEngineFactory = Utils.newInstance(sslEngineFactoryClass);
    }
    sslEngineFactory.configure(configs);
    this.sslEngineFactoryConfig = configs;
    return sslEngineFactory;
}

Example 5 with SslEngineFactory

use of org.apache.kafka.common.security.auth.SslEngineFactory in project kafka by apache.

the class SslFactory method reconfigure.

@Override
public void reconfigure(Map<String, ?> newConfigs) throws KafkaException {
    SslEngineFactory newSslEngineFactory = createNewSslEngineFactory(newConfigs);
    if (newSslEngineFactory != this.sslEngineFactory) {
        Utils.closeQuietly(this.sslEngineFactory, "close stale ssl engine factory");
        this.sslEngineFactory = newSslEngineFactory;
        log.info("Created new {} SSL engine builder with keystore {} truststore {}", mode, newSslEngineFactory.keystore(), newSslEngineFactory.truststore());
    }
}