Search in sources :

Example 1 with SslPolicyLoader

use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.

the class BoltServer method createInternalProtocolInitializer.

private ProtocolInitializer createInternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, ByteBufAllocator bufferAllocator) {
    SslContext sslCtx = null;
    SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
    boolean requireEncryption = sslPolicyLoader.hasPolicyForSource(CLUSTER);
    if (requireEncryption) {
        try {
            sslCtx = sslPolicyLoader.getPolicy(CLUSTER).nettyServerContext();
        } catch (SSLException e) {
            throw new RuntimeException("Failed to initialize SSL encryption support, which is required to start this connector. " + "Error was: " + e.getMessage(), e);
        }
    }
    SocketAddress internalListenAddress;
    if (config.isExplicitlySet(GraphDatabaseSettings.routing_listen_address)) {
        internalListenAddress = config.get(GraphDatabaseSettings.routing_listen_address).socketAddress();
    } else {
        // otherwise use same host as external connector but with default internal port
        internalListenAddress = new InetSocketAddress(config.get(BoltConnector.listen_address).getHostname(), config.get(GraphDatabaseSettings.routing_listen_address).getPort());
    }
    Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
    long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
    return new SocketTransport(BoltConnector.NAME, internalListenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SocketTransport(org.neo4j.bolt.transport.SocketTransport) SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader) Duration(java.time.Duration) SocketAddress(java.net.SocketAddress) DomainSocketAddress(io.netty.channel.unix.DomainSocketAddress) InetSocketAddress(java.net.InetSocketAddress) SSLException(javax.net.ssl.SSLException) SslContext(io.netty.handler.ssl.SslContext)

Example 2 with SslPolicyLoader

use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.

the class BoltServer method createExternalProtocolInitializer.

private ProtocolInitializer createExternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, Log log, ByteBufAllocator bufferAllocator) {
    SslContext sslCtx;
    boolean requireEncryption;
    BoltConnector.EncryptionLevel encryptionLevel = config.get(BoltConnector.encryption_level);
    SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
    switch(encryptionLevel) {
        case REQUIRED:
            // Encrypted connections are mandatory.
            requireEncryption = true;
            sslCtx = createSslContext(sslPolicyLoader);
            break;
        case OPTIONAL:
            // Encrypted connections are optional.
            requireEncryption = false;
            sslCtx = createSslContext(sslPolicyLoader);
            break;
        case DISABLED:
            // Encryption is turned off.
            requireEncryption = false;
            sslCtx = null;
            break;
        default:
            // In the unlikely event that we happen to fall through to the default option here,
            // there is a mismatch between the BoltConnector.EncryptionLevel enum and the options
            // handled in this switch statement. In this case, we'll log a warning and default to
            // disabling encryption, since this mirrors the functionality introduced in 3.0.
            log.warn("Unhandled encryption level %s - assuming DISABLED.", encryptionLevel.name());
            requireEncryption = false;
            sslCtx = null;
            break;
    }
    SocketAddress listenAddress = config.get(BoltConnector.listen_address).socketAddress();
    Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
    long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
    return new SocketTransport(BoltConnector.NAME, listenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
Also used : BoltConnector(org.neo4j.configuration.connectors.BoltConnector) SocketTransport(org.neo4j.bolt.transport.SocketTransport) SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader) Duration(java.time.Duration) SocketAddress(java.net.SocketAddress) DomainSocketAddress(io.netty.channel.unix.DomainSocketAddress) InetSocketAddress(java.net.InetSocketAddress) SslContext(io.netty.handler.ssl.SslContext)

Example 3 with SslPolicyLoader

use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.

the class AbstractNeoWebServer method configureWebServer.

protected void configureWebServer() {
    webServer.setHttpAddress(httpListenAddress);
    webServer.setHttpsAddress(httpsListenAddress);
    webServer.setMaxThreads(config.get(ServerSettings.webserver_max_threads));
    webServer.setWadlEnabled(config.get(ServerSettings.wadl_enabled));
    webServer.setComponentsBinder(createComponentsBinder());
    if (// only load sslPolicy when encryption is enabled
    httpsEnabled) {
        SslPolicyLoader sslPolicyLoader = sslPolicyFactorySupplier.get();
        if (sslPolicyLoader.hasPolicyForSource(HTTPS)) {
            webServer.setSslPolicy(sslPolicyLoader.getPolicy(HTTPS));
        }
    }
}
Also used : SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader)

Example 4 with SslPolicyLoader

use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.

the class SslPolicyLoaderTest method correctBehaviourIfDotfilesPresent.

@ParameterizedTest
@ValueSource(booleans = { true, false })
void correctBehaviourIfDotfilesPresent(boolean ignoreDotfiles) throws IOException {
    // given
    writeJunkToFile(baseDir, ".README");
    writeJunkToFile(trustedDir, ".README");
    writeJunkToFile(revokedDir, ".README");
    // when
    SslPolicyLoader sslPolicyLoader;
    if (!ignoreDotfiles) {
        assertThrows(Exception.class, () -> createSslPolicyLoader(ignoreDotfiles));
        return;
    } else {
        sslPolicyLoader = createSslPolicyLoader(ignoreDotfiles);
    }
    SslPolicy sslPolicy = sslPolicyLoader.getPolicy(TESTING);
    // then
    assertPolicyValid(sslPolicy);
}
Also used : SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader) ValueSource(org.junit.jupiter.params.provider.ValueSource) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 5 with SslPolicyLoader

use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.

the class SslPolicyLoaderTest method shouldNotComplainIfDotdirsPresent.

@ParameterizedTest
@ValueSource(booleans = { true, false })
void shouldNotComplainIfDotdirsPresent(boolean ignoreDotfiles) throws IOException {
    // given
    makeDir(baseDir, "..data");
    makeDir(trustedDir, "..data");
    makeDir(revokedDir, "..data");
    // when
    SslPolicyLoader sslPolicyLoader;
    if (!ignoreDotfiles) {
        Exception exception = assertThrows(Exception.class, () -> createSslPolicyLoader(ignoreDotfiles));
        assertThat(exception.getMessage()).contains("Failed to create trust manager");
        return;
    } else {
        sslPolicyLoader = createSslPolicyLoader(ignoreDotfiles);
    }
    // then
    SslPolicy sslPolicy = sslPolicyLoader.getPolicy(TESTING);
    assertPolicyValid(sslPolicy);
}
Also used : SslPolicyLoader(org.neo4j.ssl.config.SslPolicyLoader) NoSuchFileException(java.nio.file.NoSuchFileException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) SSLException(javax.net.ssl.SSLException) CRLException(java.security.cert.CRLException) ValueSource(org.junit.jupiter.params.provider.ValueSource) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Aggregations

SslPolicyLoader (org.neo4j.ssl.config.SslPolicyLoader)8 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)5 ValueSource (org.junit.jupiter.params.provider.ValueSource)3 DomainSocketAddress (io.netty.channel.unix.DomainSocketAddress)2 SslContext (io.netty.handler.ssl.SslContext)2 InetSocketAddress (java.net.InetSocketAddress)2 SocketAddress (java.net.SocketAddress)2 Duration (java.time.Duration)2 SSLException (javax.net.ssl.SSLException)2 Test (org.junit.jupiter.api.Test)2 SocketTransport (org.neo4j.bolt.transport.SocketTransport)2 IOException (java.io.IOException)1 NoSuchFileException (java.nio.file.NoSuchFileException)1 CRLException (java.security.cert.CRLException)1 CertificateException (java.security.cert.CertificateException)1 Config (org.neo4j.configuration.Config)1 BoltConnector (org.neo4j.configuration.connectors.BoltConnector)1 SslPolicyConfig (org.neo4j.configuration.ssl.SslPolicyConfig)1