Skip to content

Commit e6b169e

Browse files
author
Apurva Telang
committed
pip-337-impl
1 parent c07b158 commit e6b169e

File tree

75 files changed

+2254
-1307
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

75 files changed

+2254
-1307
lines changed

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java

+19
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@
4949
import org.apache.pulsar.common.policies.data.TopicType;
5050
import org.apache.pulsar.common.protocol.Commands;
5151
import org.apache.pulsar.common.sasl.SaslConstants;
52+
import org.apache.pulsar.common.util.DefaultPulsarSslFactory;
5253
import org.apache.pulsar.common.util.DirectMemoryUtils;
5354
import org.apache.pulsar.metadata.api.MetadataStoreFactory;
5455
import org.apache.pulsar.metadata.impl.ZKMetadataStore;
@@ -1581,6 +1582,15 @@ The max allowed delay for delayed delivery (in milliseconds). If the broker rece
15811582
doc = "Specify whether Client certificates are required for TLS Reject.\n"
15821583
+ "the Connection if the Client Certificate is not trusted")
15831584
private boolean tlsRequireTrustedClientCertOnConnect = false;
1585+
@FieldContext(
1586+
category = CATEGORY_TLS,
1587+
doc = "SSL Factory Plugin class to provide SSLEngine and SSLContext objects. The default "
1588+
+ " class used is DefaultSslFactory.")
1589+
private String sslFactoryPlugin = DefaultPulsarSslFactory.class.getName();
1590+
@FieldContext(
1591+
category = CATEGORY_TLS,
1592+
doc = "SSL Factory plugin configuration parameters.")
1593+
private String sslFactoryPluginParams = "";
15841594

15851595
/***** --- Authentication. --- ****/
15861596
@FieldContext(
@@ -3546,6 +3556,15 @@ public double getLoadBalancerBandwidthOutResourceWeight() {
35463556
+ " used by the internal client to authenticate with Pulsar brokers"
35473557
)
35483558
private Set<String> brokerClientTlsProtocols = new TreeSet<>();
3559+
@FieldContext(
3560+
category = CATEGORY_TLS,
3561+
doc = "SSL Factory Plugin class used by internal client to provide SSLEngine and SSLContext objects. "
3562+
+ "The default class used is DefaultSslFactory.")
3563+
private String brokerClientSslFactoryPlugin = DefaultPulsarSslFactory.class.getName();
3564+
@FieldContext(
3565+
category = CATEGORY_TLS,
3566+
doc = "SSL Factory plugin configuration parameters used by internal client.")
3567+
private String brokerClientSslFactoryPluginParams = "";
35493568

35503569
/* packages management service configurations (begin) */
35513570

pulsar-broker-common/src/main/java/org/apache/pulsar/jetty/tls/JettySslContextFactory.java

+10-48
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,8 @@
2121
import java.util.Set;
2222
import javax.net.ssl.SSLContext;
2323
import lombok.extern.slf4j.Slf4j;
24-
import org.apache.pulsar.common.util.DefaultSslContextBuilder;
24+
import org.apache.pulsar.common.util.PulsarSslFactory;
2525
import org.apache.pulsar.common.util.SecurityUtility;
26-
import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
27-
import org.apache.pulsar.common.util.keystoretls.NetSslContextBuilder;
2826
import org.eclipse.jetty.util.ssl.SslContextFactory;
2927

3028
@Slf4j
@@ -35,57 +33,21 @@ public class JettySslContextFactory {
3533
}
3634
}
3735

38-
public static SslContextFactory.Server createServerSslContextWithKeystore(String sslProviderString,
39-
String keyStoreTypeString,
40-
String keyStore,
41-
String keyStorePassword,
42-
boolean allowInsecureConnection,
43-
String trustStoreTypeString,
44-
String trustStore,
45-
String trustStorePassword,
46-
boolean requireTrustedClientCertOnConnect,
47-
Set<String> ciphers,
48-
Set<String> protocols,
49-
long certRefreshInSec) {
50-
NetSslContextBuilder sslCtxRefresher = new NetSslContextBuilder(
51-
sslProviderString,
52-
keyStoreTypeString,
53-
keyStore,
54-
keyStorePassword,
55-
allowInsecureConnection,
56-
trustStoreTypeString,
57-
trustStore,
58-
trustStorePassword,
59-
requireTrustedClientCertOnConnect,
60-
certRefreshInSec);
61-
62-
return new JettySslContextFactory.Server(sslProviderString, sslCtxRefresher,
36+
public static SslContextFactory.Server createSslContextFactory(String sslProviderString,
37+
PulsarSslFactory pulsarSslFactory,
38+
boolean requireTrustedClientCertOnConnect,
39+
Set<String> ciphers, Set<String> protocols) {
40+
return new JettySslContextFactory.Server(sslProviderString, pulsarSslFactory,
6341
requireTrustedClientCertOnConnect, ciphers, protocols);
6442
}
6543

66-
public static SslContextFactory createServerSslContext(String sslProviderString, boolean tlsAllowInsecureConnection,
67-
String tlsTrustCertsFilePath,
68-
String tlsCertificateFilePath,
69-
String tlsKeyFilePath,
70-
boolean tlsRequireTrustedClientCertOnConnect,
71-
Set<String> ciphers,
72-
Set<String> protocols,
73-
long certRefreshInSec) {
74-
DefaultSslContextBuilder sslCtxRefresher =
75-
new DefaultSslContextBuilder(tlsAllowInsecureConnection, tlsTrustCertsFilePath, tlsCertificateFilePath,
76-
tlsKeyFilePath, tlsRequireTrustedClientCertOnConnect, certRefreshInSec, sslProviderString);
77-
78-
return new JettySslContextFactory.Server(sslProviderString, sslCtxRefresher,
79-
tlsRequireTrustedClientCertOnConnect, ciphers, protocols);
80-
}
81-
8244
private static class Server extends SslContextFactory.Server {
83-
private final SslContextAutoRefreshBuilder<SSLContext> sslCtxRefresher;
45+
private final PulsarSslFactory pulsarSslFactory;
8446

85-
public Server(String sslProviderString, SslContextAutoRefreshBuilder<SSLContext> sslCtxRefresher,
47+
public Server(String sslProviderString, PulsarSslFactory pulsarSslFactory,
8648
boolean requireTrustedClientCertOnConnect, Set<String> ciphers, Set<String> protocols) {
8749
super();
88-
this.sslCtxRefresher = sslCtxRefresher;
50+
this.pulsarSslFactory = pulsarSslFactory;
8951

9052
if (ciphers != null && ciphers.size() > 0) {
9153
this.setIncludeCipherSuites(ciphers.toArray(new String[0]));
@@ -110,7 +72,7 @@ public Server(String sslProviderString, SslContextAutoRefreshBuilder<SSLContext>
11072

11173
@Override
11274
public SSLContext getSslContext() {
113-
return sslCtxRefresher.get();
75+
return this.pulsarSslFactory.getInternalSslContext();
11476
}
11577
}
11678
}

pulsar-broker-common/src/test/java/org/apache/pulsar/jetty/tls/JettySslContextFactoryTest.java

+63-31
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,9 @@
4242
import org.eclipse.jetty.server.ServerConnector;
4343
import org.eclipse.jetty.util.ssl.SslContextFactory;
4444
import org.testng.annotations.Test;
45+
import org.apache.pulsar.common.util.DefaultPulsarSslFactory;
46+
import org.apache.pulsar.common.util.PulsarSslConfiguration;
47+
import org.apache.pulsar.common.util.PulsarSslFactory;
4548

4649
@Slf4j
4750
public class JettySslContextFactoryTest {
@@ -51,16 +54,20 @@ public void testJettyTlsServerTls() throws Exception {
5154
@Cleanup("stop")
5255
Server server = new Server();
5356
List<ServerConnector> connectors = new ArrayList<>();
54-
SslContextFactory factory = JettySslContextFactory.createServerSslContext(
55-
null,
56-
false,
57-
Resources.getResource("ssl/my-ca/ca.pem").getPath(),
58-
Resources.getResource("ssl/my-ca/server-ca.pem").getPath(),
59-
Resources.getResource("ssl/my-ca/server-key.pem").getPath(),
60-
true,
61-
null,
62-
null,
63-
600);
57+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
58+
.tlsTrustCertsFilePath(Resources.getResource("ssl/my-ca/ca.pem").getPath())
59+
.tlsCertificateFilePath(Resources.getResource("ssl/my-ca/server-ca.pem").getPath())
60+
.tlsKeyFilePath(Resources.getResource("ssl/my-ca/server-key.pem").getPath())
61+
.allowInsecureConnection(false)
62+
.requireTrustedClientCertOnConnect(true)
63+
.tlsEnabledWithKeystore(false)
64+
.isHttps(true)
65+
.build();
66+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
67+
sslFactory.initialize(sslConfiguration);
68+
sslFactory.createInternalSslContext();
69+
SslContextFactory factory = JettySslContextFactory.createSslContextFactory(null,
70+
sslFactory, true, null, null);
6471

6572
ServerConnector connector = new ServerConnector(server, factory);
6673
connector.setPort(0);
@@ -85,20 +92,30 @@ public void testJettyTlsServerInvalidTlsProtocol() throws Exception {
8592
@Cleanup("stop")
8693
Server server = new Server();
8794
List<ServerConnector> connectors = new ArrayList<>();
88-
SslContextFactory factory = JettySslContextFactory.createServerSslContext(
89-
null,
90-
false,
91-
Resources.getResource("ssl/my-ca/ca.pem").getPath(),
92-
Resources.getResource("ssl/my-ca/server-ca.pem").getPath(),
93-
Resources.getResource("ssl/my-ca/server-key.pem").getPath(),
94-
true,
95-
null,
95+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
96+
.tlsProtocols(new HashSet<String>() {
97+
{
98+
this.add("TLSv1.3");
99+
}
100+
})
101+
.tlsTrustCertsFilePath(Resources.getResource("ssl/my-ca/ca.pem").getPath())
102+
.tlsCertificateFilePath(Resources.getResource("ssl/my-ca/server-ca.pem").getPath())
103+
.tlsKeyFilePath(Resources.getResource("ssl/my-ca/server-key.pem").getPath())
104+
.allowInsecureConnection(false)
105+
.requireTrustedClientCertOnConnect(true)
106+
.tlsEnabledWithKeystore(false)
107+
.isHttps(true)
108+
.build();
109+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
110+
sslFactory.initialize(sslConfiguration);
111+
sslFactory.createInternalSslContext();
112+
SslContextFactory factory = JettySslContextFactory.createSslContextFactory(null,
113+
sslFactory, true, null,
96114
new HashSet<String>() {
97115
{
98116
this.add("TLSv1.3");
99117
}
100-
},
101-
600);
118+
});
102119
factory.setHostnameVerifier((s, sslSession) -> true);
103120
ServerConnector connector = new ServerConnector(server, factory);
104121
connector.setPort(0);
@@ -123,25 +140,40 @@ public void testJettyTlsServerInvalidCipher() throws Exception {
123140
@Cleanup("stop")
124141
Server server = new Server();
125142
List<ServerConnector> connectors = new ArrayList<>();
126-
SslContextFactory factory = JettySslContextFactory.createServerSslContext(
127-
null,
128-
false,
129-
Resources.getResource("ssl/my-ca/ca.pem").getPath(),
130-
Resources.getResource("ssl/my-ca/server-ca.pem").getPath(),
131-
Resources.getResource("ssl/my-ca/server-key.pem").getPath(),
132-
true,
143+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
144+
.tlsCiphers(new HashSet<String>() {
145+
{
146+
this.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
147+
}
148+
})
149+
.tlsProtocols(new HashSet<String>() {
150+
{
151+
this.add("TLSv1.3");
152+
}
153+
})
154+
.tlsTrustCertsFilePath(Resources.getResource("ssl/my-ca/ca.pem").getPath())
155+
.tlsCertificateFilePath(Resources.getResource("ssl/my-ca/server-ca.pem").getPath())
156+
.tlsKeyFilePath(Resources.getResource("ssl/my-ca/server-key.pem").getPath())
157+
.allowInsecureConnection(false)
158+
.requireTrustedClientCertOnConnect(true)
159+
.isHttps(true)
160+
.tlsEnabledWithKeystore(false)
161+
.build();
162+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
163+
sslFactory.initialize(sslConfiguration);
164+
sslFactory.createInternalSslContext();
165+
SslContextFactory factory = JettySslContextFactory.createSslContextFactory(null,
166+
sslFactory, true,
133167
new HashSet<String>() {
134168
{
135169
this.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
136170
}
137171
},
138172
new HashSet<String>() {
139173
{
140-
this.add("TLSv1.2");
174+
this.add("TLSv1.3");
141175
}
142-
},
143-
600);
144-
176+
});
145177
factory.setHostnameVerifier((s, sslSession) -> true);
146178
ServerConnector connector = new ServerConnector(server, factory);
147179
connector.setPort(0);

pulsar-broker-common/src/test/java/org/apache/pulsar/jetty/tls/JettySslContextFactoryWithKeyStoreTest.java

+70-12
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@
4343
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
4444
import org.apache.logging.log4j.Level;
4545
import org.apache.logging.log4j.core.config.Configurator;
46+
import org.apache.pulsar.common.util.DefaultPulsarSslFactory;
47+
import org.apache.pulsar.common.util.PulsarSslConfiguration;
48+
import org.apache.pulsar.common.util.PulsarSslFactory;
4649
import org.eclipse.jetty.server.Server;
4750
import org.eclipse.jetty.server.ServerConnector;
4851
import org.eclipse.jetty.util.ssl.SslContextFactory;
@@ -66,10 +69,22 @@ public void testJettyTlsServerTls() throws Exception {
6669
@Cleanup("stop")
6770
Server server = new Server();
6871
List<ServerConnector> connectors = new ArrayList<>();
69-
SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
70-
keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType,
71-
clientTrustStorePath, keyStorePassword, true, null,
72-
null, 600);
72+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
73+
.tlsKeyStoreType(keyStoreType)
74+
.tlsKeyStorePath(brokerKeyStorePath)
75+
.tlsKeyStorePassword(keyStorePassword)
76+
.tlsTrustStoreType(keyStoreType)
77+
.tlsTrustStorePath(clientTrustStorePath)
78+
.tlsTrustStorePassword(keyStorePassword)
79+
.requireTrustedClientCertOnConnect(true)
80+
.tlsEnabledWithKeystore(true)
81+
.isHttps(true)
82+
.build();
83+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
84+
sslFactory.initialize(sslConfiguration);
85+
sslFactory.createInternalSslContext();
86+
SslContextFactory.Server factory = JettySslContextFactory.createSslContextFactory(null,
87+
sslFactory, true, null, null);
7388
factory.setHostnameVerifier((s, sslSession) -> true);
7489
ServerConnector connector = new ServerConnector(server, factory);
7590
connector.setPort(0);
@@ -95,14 +110,32 @@ public void testJettyTlsServerInvalidTlsProtocol() throws Exception {
95110
@Cleanup("stop")
96111
Server server = new Server();
97112
List<ServerConnector> connectors = new ArrayList<>();
98-
SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
99-
keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType, clientTrustStorePath,
100-
keyStorePassword, true, null,
113+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
114+
.tlsKeyStoreType(keyStoreType)
115+
.tlsKeyStorePath(brokerKeyStorePath)
116+
.tlsKeyStorePassword(keyStorePassword)
117+
.tlsTrustStoreType(keyStoreType)
118+
.tlsTrustStorePath(clientTrustStorePath)
119+
.tlsTrustStorePassword(keyStorePassword)
120+
.tlsProtocols(new HashSet<String>() {
121+
{
122+
this.add("TLSv1.3");
123+
}
124+
})
125+
.requireTrustedClientCertOnConnect(true)
126+
.tlsEnabledWithKeystore(true)
127+
.isHttps(true)
128+
.build();
129+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
130+
sslFactory.initialize(sslConfiguration);
131+
sslFactory.createInternalSslContext();
132+
SslContextFactory.Server factory = JettySslContextFactory.createSslContextFactory(null,
133+
sslFactory, true, null,
101134
new HashSet<String>() {
102135
{
103136
this.add("TLSv1.3");
104137
}
105-
}, 600);
138+
});
106139
factory.setHostnameVerifier((s, sslSession) -> true);
107140
ServerConnector connector = new ServerConnector(server, factory);
108141
connector.setPort(0);
@@ -127,18 +160,43 @@ public void testJettyTlsServerInvalidCipher() throws Exception {
127160
@Cleanup("stop")
128161
Server server = new Server();
129162
List<ServerConnector> connectors = new ArrayList<>();
130-
SslContextFactory.Server factory = JettySslContextFactory.createServerSslContextWithKeystore(null,
131-
keyStoreType, brokerKeyStorePath, keyStorePassword, false, keyStoreType, clientTrustStorePath,
132-
keyStorePassword, true, new HashSet<String>() {
163+
PulsarSslConfiguration sslConfiguration = PulsarSslConfiguration.builder()
164+
.tlsKeyStoreType(keyStoreType)
165+
.tlsKeyStorePath(brokerKeyStorePath)
166+
.tlsKeyStorePassword(keyStorePassword)
167+
.tlsTrustStoreType(keyStoreType)
168+
.tlsTrustStorePath(clientTrustStorePath)
169+
.tlsTrustStorePassword(keyStorePassword)
170+
.tlsCiphers(new HashSet<String>() {
171+
{
172+
this.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
173+
}
174+
})
175+
.tlsProtocols(new HashSet<String>() {
176+
{
177+
this.add("TLSv1.3");
178+
}
179+
})
180+
.requireTrustedClientCertOnConnect(true)
181+
.tlsEnabledWithKeystore(true)
182+
.isHttps(true)
183+
.build();
184+
PulsarSslFactory sslFactory = new DefaultPulsarSslFactory();
185+
sslFactory.initialize(sslConfiguration);
186+
sslFactory.createInternalSslContext();
187+
SslContextFactory.Server factory = JettySslContextFactory.createSslContextFactory(null,
188+
sslFactory, true,
189+
new HashSet<String>() {
133190
{
134191
this.add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
135192
}
136193
},
137194
new HashSet<String>() {
138195
{
139196
this.add("TLSv1.2");
197+
this.add("TLSv1.3");
140198
}
141-
}, 600);
199+
});
142200
factory.setHostnameVerifier((s, sslSession) -> true);
143201
ServerConnector connector = new ServerConnector(server, factory);
144202
connector.setPort(0);

0 commit comments

Comments
 (0)