[drill] branch master updated: DRILL-8008: Add Config Option to HTTP Plugin to Skip SSL Validation (#2331)

cgivre Tue, 12 Oct 2021 16:39:41 -0700

This is an automated email from the ASF dual-hosted git repository.

cgivre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git



The following commit(s) were added to refs/heads/master by this push:
     new 5f5ae89  DRILL-8008: Add Config Option to HTTP Plugin to Skip SSL 
Validation (#2331)
5f5ae89 is described below

commit 5f5ae89392471d237605c0b5e1a337e5bc0e10ff
Author: Charles S. Givre <[email protected]>
AuthorDate: Tue Oct 12 19:39:28 2021 -0400

    DRILL-8008: Add Config Option to HTTP Plugin to Skip SSL Validation (#2331)
    
    * Intial Commit
    
    * Removed unused import
    
    * Addressed Review Comments
    
    * Removed unused import
---
 contrib/storage-http/README.md                     |  4 ++
 contrib/storage-http/pom.xml                       |  2 +-
 .../drill/exec/store/http/HttpApiConfig.java       | 11 +++++
 .../drill/exec/store/http/util/SimpleHttp.java     | 47 ++++++++++++++++++++++
 4 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/contrib/storage-http/README.md b/contrib/storage-http/README.md
index 427ed83..77ffc35 100644
--- a/contrib/storage-http/README.md
+++ b/contrib/storage-http/README.md
@@ -260,6 +260,10 @@ When a user makes HTTP calls, the response code will be 
from 100-599.  400 serie
 errors on 400 series errors.  This option allows you to define Drill's 
behavior on 400 series error codes.  When set to `true`, Drill will throw an 
exception and halt execution 
 on 400 series errors, `false` will return an empty result set (with implicit 
fields populated).
 
+#### verifySSLCert
+Default is `true`, but when set to false, Drill will trust all SSL 
certificates.  Useful for debugging or on internal corporate networks using 
self-signed certificates or 
+private certificate authorities.
+
 ## Usage
 
 This plugin is different from other plugins in that it the table component of 
the `FROM` clause
diff --git a/contrib/storage-http/pom.xml b/contrib/storage-http/pom.xml
index 3e8af05..e7f9342 100644
--- a/contrib/storage-http/pom.xml
+++ b/contrib/storage-http/pom.xml
@@ -31,7 +31,7 @@
   <name>Drill : Contrib : Storage : HTTP</name>
 
   <properties>
-    <okhttp.version>4.9.1</okhttp.version>
+    <okhttp.version>4.9.2</okhttp.version>
   </properties>
 
   <dependencies>
diff --git 
a/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/HttpApiConfig.java
 
b/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/HttpApiConfig.java
index 11b96c9..6bae806 100644
--- 
a/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/HttpApiConfig.java
+++ 
b/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/HttpApiConfig.java
@@ -102,6 +102,10 @@ public class HttpApiConfig {
   private final int xmlDataLevel;
   @JsonProperty
   private final boolean errorOn400;
+
+  @JsonInclude
+  @JsonProperty
+  private final boolean verifySSLCert;
   @Getter(AccessLevel.NONE)
   private final CredentialsProvider credentialsProvider;
   @Getter(AccessLevel.NONE)
@@ -154,6 +158,9 @@ public class HttpApiConfig {
     // Default to true for backward compatibility with first PR.
     this.requireTail = builder.requireTail;
 
+    // Default to true for backward compatibility, and better security 
practices
+    this.verifySSLCert = builder().verifySSLCert();
+
     this.inputType = builder.inputType.trim().toLowerCase();
 
     this.xmlDataLevel = Math.max(1, builder.xmlDataLevel);
@@ -217,6 +224,10 @@ public class HttpApiConfig {
 
     @Getter
     @Setter
+    private boolean verifySSLCert = true;
+
+    @Getter
+    @Setter
     private String inputType = DEFAULT_INPUT_FORMAT;
 
     public HttpApiConfig build() {
diff --git 
a/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/util/SimpleHttp.java
 
b/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/util/SimpleHttp.java
index 486117a..69779e5 100644
--- 
a/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/util/SimpleHttp.java
+++ 
b/contrib/storage-http/src/main/java/org/apache/drill/exec/store/http/util/SimpleHttp.java
@@ -39,6 +39,11 @@ import org.apache.drill.exec.store.http.HttpSubScan;
 import org.apache.drill.exec.store.security.UsernamePasswordCredentials;
 import org.jetbrains.annotations.NotNull;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -46,6 +51,9 @@ import java.io.UnsupportedEncodingException;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.net.URLDecoder;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -116,6 +124,25 @@ public class SimpleHttp {
     builder.writeTimeout(timeout, TimeUnit.SECONDS);
     builder.readTimeout(timeout, TimeUnit.SECONDS);
 
+    // Code to skip SSL Certificate validation
+    // Sourced from 
https://stackoverflow.com/questions/60110848/how-to-disable-ssl-verification
+    if (! scanDefn.tableSpec().connectionConfig().verifySSLCert()) {
+      try {
+        TrustManager[] trustAllCerts = getAllTrustingTrustManager();
+        SSLContext sslContext = SSLContext.getInstance("SSL");
+        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
+
+
+        builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) 
trustAllCerts[0]);
+        HostnameVerifier verifier = (hostname, session) -> true;
+        builder.hostnameVerifier(verifier);
+
+      } catch (KeyManagementException | NoSuchAlgorithmException e) {
+        logger.error("Error when configuring Drill not to verify SSL certs. 
{}", e.getMessage());
+      }
+    }
+
     // Set the proxy configuration
 
     Proxy.Type proxyType;
@@ -149,6 +176,26 @@ public class SimpleHttp {
     return url.toString();
   }
 
+  private TrustManager[] getAllTrustingTrustManager() {
+    return new TrustManager[] {
+      new X509TrustManager() {
+        @Override
+        public void checkClientTrusted(X509Certificate[] chain, String 
authType) {
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] chain, String 
authType) {
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+          return new X509Certificate[]{};
+        }
+      }
+    };
+  }
+
+
   public InputStream getInputStream() {
 
     Request.Builder requestBuilder = new Request.Builder()

[drill] branch master updated: DRILL-8008: Add Config Option to HTTP Plugin to Skip SSL Validation (#2331)

Reply via email to