use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.
the class BoltServer method createInternalProtocolInitializer.
private ProtocolInitializer createInternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, ByteBufAllocator bufferAllocator) {
SslContext sslCtx = null;
SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
boolean requireEncryption = sslPolicyLoader.hasPolicyForSource(CLUSTER);
if (requireEncryption) {
try {
sslCtx = sslPolicyLoader.getPolicy(CLUSTER).nettyServerContext();
} catch (SSLException e) {
throw new RuntimeException("Failed to initialize SSL encryption support, which is required to start this connector. " + "Error was: " + e.getMessage(), e);
}
}
SocketAddress internalListenAddress;
if (config.isExplicitlySet(GraphDatabaseSettings.routing_listen_address)) {
internalListenAddress = config.get(GraphDatabaseSettings.routing_listen_address).socketAddress();
} else {
// otherwise use same host as external connector but with default internal port
internalListenAddress = new InetSocketAddress(config.get(BoltConnector.listen_address).getHostname(), config.get(GraphDatabaseSettings.routing_listen_address).getPort());
}
Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
return new SocketTransport(BoltConnector.NAME, internalListenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.
the class BoltServer method createExternalProtocolInitializer.
private ProtocolInitializer createExternalProtocolInitializer(BoltProtocolFactory boltProtocolFactory, TransportThrottleGroup throttleGroup, Log log, ByteBufAllocator bufferAllocator) {
SslContext sslCtx;
boolean requireEncryption;
BoltConnector.EncryptionLevel encryptionLevel = config.get(BoltConnector.encryption_level);
SslPolicyLoader sslPolicyLoader = dependencyResolver.resolveDependency(SslPolicyLoader.class);
switch(encryptionLevel) {
case REQUIRED:
// Encrypted connections are mandatory.
requireEncryption = true;
sslCtx = createSslContext(sslPolicyLoader);
break;
case OPTIONAL:
// Encrypted connections are optional.
requireEncryption = false;
sslCtx = createSslContext(sslPolicyLoader);
break;
case DISABLED:
// Encryption is turned off.
requireEncryption = false;
sslCtx = null;
break;
default:
// In the unlikely event that we happen to fall through to the default option here,
// there is a mismatch between the BoltConnector.EncryptionLevel enum and the options
// handled in this switch statement. In this case, we'll log a warning and default to
// disabling encryption, since this mirrors the functionality introduced in 3.0.
log.warn("Unhandled encryption level %s - assuming DISABLED.", encryptionLevel.name());
requireEncryption = false;
sslCtx = null;
break;
}
SocketAddress listenAddress = config.get(BoltConnector.listen_address).socketAddress();
Duration channelTimeout = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_timeout);
long maxMessageSize = config.get(BoltConnectorInternalSettings.unsupported_bolt_unauth_connection_max_inbound_bytes);
return new SocketTransport(BoltConnector.NAME, listenAddress, sslCtx, requireEncryption, logService.getInternalLogProvider(), throttleGroup, boltProtocolFactory, connectionTracker, channelTimeout, maxMessageSize, bufferAllocator, boltMemoryPool);
}
use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.
the class AbstractNeoWebServer method configureWebServer.
protected void configureWebServer() {
webServer.setHttpAddress(httpListenAddress);
webServer.setHttpsAddress(httpsListenAddress);
webServer.setMaxThreads(config.get(ServerSettings.webserver_max_threads));
webServer.setWadlEnabled(config.get(ServerSettings.wadl_enabled));
webServer.setComponentsBinder(createComponentsBinder());
if (// only load sslPolicy when encryption is enabled
httpsEnabled) {
SslPolicyLoader sslPolicyLoader = sslPolicyFactorySupplier.get();
if (sslPolicyLoader.hasPolicyForSource(HTTPS)) {
webServer.setSslPolicy(sslPolicyLoader.getPolicy(HTTPS));
}
}
}
use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.
the class SslPolicyLoaderTest method correctBehaviourIfDotfilesPresent.
@ParameterizedTest
@ValueSource(booleans = { true, false })
void correctBehaviourIfDotfilesPresent(boolean ignoreDotfiles) throws IOException {
// given
writeJunkToFile(baseDir, ".README");
writeJunkToFile(trustedDir, ".README");
writeJunkToFile(revokedDir, ".README");
// when
SslPolicyLoader sslPolicyLoader;
if (!ignoreDotfiles) {
assertThrows(Exception.class, () -> createSslPolicyLoader(ignoreDotfiles));
return;
} else {
sslPolicyLoader = createSslPolicyLoader(ignoreDotfiles);
}
SslPolicy sslPolicy = sslPolicyLoader.getPolicy(TESTING);
// then
assertPolicyValid(sslPolicy);
}
use of org.neo4j.ssl.config.SslPolicyLoader in project neo4j by neo4j.
the class SslPolicyLoaderTest method shouldNotComplainIfDotdirsPresent.
@ParameterizedTest
@ValueSource(booleans = { true, false })
void shouldNotComplainIfDotdirsPresent(boolean ignoreDotfiles) throws IOException {
// given
makeDir(baseDir, "..data");
makeDir(trustedDir, "..data");
makeDir(revokedDir, "..data");
// when
SslPolicyLoader sslPolicyLoader;
if (!ignoreDotfiles) {
Exception exception = assertThrows(Exception.class, () -> createSslPolicyLoader(ignoreDotfiles));
assertThat(exception.getMessage()).contains("Failed to create trust manager");
return;
} else {
sslPolicyLoader = createSslPolicyLoader(ignoreDotfiles);
}
// then
SslPolicy sslPolicy = sslPolicyLoader.getPolicy(TESTING);
assertPolicyValid(sslPolicy);
}
Aggregations