NIFI-1163: Providing handling of SSLContext creation in GetHTTP in case of only performing a one-way SSL request and accompanying test to verify the configuration/usage.
Reviewed by Tony Kurc ([email protected]) Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/01539ed3 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/01539ed3 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/01539ed3 Branch: refs/heads/NIFI-655 Commit: 01539ed3230894b062a7c2e42ffd9b50e3d51bf3 Parents: 90f6830 Author: Aldrin Piri <[email protected]> Authored: Sat Nov 14 18:43:49 2015 -0500 Committer: Tony Kurc <[email protected]> Committed: Sat Nov 14 18:47:50 2015 -0500 ---------------------------------------------------------------------- .../nifi/processors/standard/GetHTTP.java | 28 +++--- .../nifi/processors/standard/TestGetHTTP.java | 94 ++++++++++++++------ 2 files changed, 87 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/01539ed3/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java index e846b82..2245080 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java @@ -49,6 +49,7 @@ import java.util.regex.Pattern; import javax.net.ssl.SSLContext; +import org.apache.commons.lang3.StringUtils; import org.apache.http.Header; import org.apache.http.HttpHost; import org.apache.http.HttpResponse; @@ -64,11 +65,11 @@ import org.apache.http.conn.HttpClientConnectionManager; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.SSLContexts; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.conn.BasicHttpClientConnectionManager; +import org.apache.http.ssl.SSLContextBuilder; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.annotation.behavior.InputRequirement.Requirement; import org.apache.nifi.annotation.behavior.WritesAttribute; @@ -320,19 +321,26 @@ public class GetHTTP extends AbstractSessionFactoryProcessor { private SSLContext createSSLContext(final SSLContextService service) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException { - final KeyStore truststore = KeyStore.getInstance(service.getTrustStoreType()); - try (final InputStream in = new FileInputStream(new File(service.getTrustStoreFile()))) { - truststore.load(in, service.getTrustStorePassword().toCharArray()); - } - final KeyStore keystore = KeyStore.getInstance(service.getKeyStoreType()); - try (final InputStream in = new FileInputStream(new File(service.getKeyStoreFile()))) { - keystore.load(in, service.getKeyStorePassword().toCharArray()); + final SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); + + if (StringUtils.isNotBlank(service.getTrustStoreFile())) { + final KeyStore truststore = KeyStore.getInstance(service.getTrustStoreType()); + try (final InputStream in = new FileInputStream(new File(service.getTrustStoreFile()))) { + truststore.load(in, service.getTrustStorePassword().toCharArray()); + } + sslContextBuilder.loadTrustMaterial(truststore, new TrustSelfSignedStrategy()); } - final SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(truststore, new TrustSelfSignedStrategy()).loadKeyMaterial(keystore, service.getKeyStorePassword().toCharArray()).build(); + if (StringUtils.isNotBlank(service.getKeyStoreFile())){ + final KeyStore keystore = KeyStore.getInstance(service.getKeyStoreType()); + try (final InputStream in = new FileInputStream(new File(service.getKeyStoreFile()))) { + keystore.load(in, service.getKeyStorePassword().toCharArray()); + } + sslContextBuilder.loadKeyMaterial(keystore, service.getKeyStorePassword().toCharArray()); + } - return sslContext; + return sslContextBuilder.build(); } @Override http://git-wip-us.apache.org/repos/asf/nifi/blob/01539ed3/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestGetHTTP.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestGetHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestGetHTTP.java index bb3d286..29ce429 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestGetHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestGetHTTP.java @@ -317,48 +317,63 @@ public class TestGetHTTP { } } - private Map<String, String> getSslProperties() { - Map<String, String> props = new HashMap<String, String>(); - props.put(StandardSSLContextService.KEYSTORE.getName(), "src/test/resources/localhost-ks.jks"); - props.put(StandardSSLContextService.KEYSTORE_PASSWORD.getName(), "localtest"); - props.put(StandardSSLContextService.KEYSTORE_TYPE.getName(), "JKS"); - props.put(StandardSSLContextService.TRUSTSTORE.getName(), "src/test/resources/localhost-ts.jks"); - props.put(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName(), "localtest"); - props.put(StandardSSLContextService.TRUSTSTORE_TYPE.getName(), "JKS"); - return props; - } + @Test + public final void testSecure_oneWaySsl() throws Exception { + // set up web service + final ServletHandler handler = new ServletHandler(); + handler.addServletWithMapping(HelloWorldServlet.class, "/*"); + + // create the service, disabling the need for client auth + final Map<String, String> serverSslProperties = getKeystoreProperties(); + serverSslProperties.put(TestServer.NEED_CLIENT_AUTH, Boolean.toString(false)); + final TestServer server = new TestServer(serverSslProperties); + server.addHandler(handler); - private void useSSLContextService() { - final SSLContextService service = new StandardSSLContextService(); try { - controller.addControllerService("ssl-service", service, getSslProperties()); - controller.enableControllerService(service); - } catch (InitializationException ex) { - ex.printStackTrace(); - Assert.fail("Could not create SSL Context Service"); - } + server.startServer(); - controller.setProperty(GetHTTP.SSL_CONTEXT_SERVICE, "ssl-service"); + final String destination = server.getSecureUrl(); + + // set up NiFi mock controller + controller = TestRunners.newTestRunner(GetHTTP.class); + // Use context service with only a truststore + useSSLContextService(getTruststoreProperties()); + + controller.setProperty(GetHTTP.CONNECTION_TIMEOUT, "5 secs"); + controller.setProperty(GetHTTP.URL, destination); + controller.setProperty(GetHTTP.FILENAME, "testFile"); + controller.setProperty(GetHTTP.ACCEPT_CONTENT_TYPE, "application/json"); + + controller.run(); + controller.assertAllFlowFilesTransferred(GetHTTP.REL_SUCCESS, 1); + final MockFlowFile mff = controller.getFlowFilesForRelationship(GetHTTP.REL_SUCCESS).get(0); + mff.assertContentEquals("Hello, World!"); + } finally { + server.shutdownServer(); + } } @Test - public final void testSecure() throws Exception { + public final void testSecure_twoWaySsl() throws Exception { // set up web service - ServletHandler handler = new ServletHandler(); + final ServletHandler handler = new ServletHandler(); handler.addServletWithMapping(HelloWorldServlet.class, "/*"); - // create the service - TestServer server = new TestServer(getSslProperties()); + // create the service, providing both truststore and keystore properties, requiring client auth (default) + final Map<String, String> twoWaySslProperties = getKeystoreProperties(); + twoWaySslProperties.putAll(getTruststoreProperties()); + final TestServer server = new TestServer(twoWaySslProperties); server.addHandler(handler); try { server.startServer(); - String destination = server.getSecureUrl(); + final String destination = server.getSecureUrl(); // set up NiFi mock controller controller = TestRunners.newTestRunner(GetHTTP.class); - useSSLContextService(); + // Use context service with a keystore and a truststore + useSSLContextService(twoWaySslProperties); controller.setProperty(GetHTTP.CONNECTION_TIMEOUT, "5 secs"); controller.setProperty(GetHTTP.URL, destination); @@ -374,4 +389,33 @@ public class TestGetHTTP { } } + private static Map<String, String> getTruststoreProperties() { + final Map<String, String> props = new HashMap<>(); + props.put(StandardSSLContextService.TRUSTSTORE.getName(), "src/test/resources/localhost-ts.jks"); + props.put(StandardSSLContextService.TRUSTSTORE_PASSWORD.getName(), "localtest"); + props.put(StandardSSLContextService.TRUSTSTORE_TYPE.getName(), "JKS"); + return props; + } + + private static Map<String, String> getKeystoreProperties() { + final Map<String, String> properties = new HashMap<>(); + properties.put(StandardSSLContextService.KEYSTORE.getName(), "src/test/resources/localhost-ks.jks"); + properties.put(StandardSSLContextService.KEYSTORE_PASSWORD.getName(), "localtest"); + properties.put(StandardSSLContextService.KEYSTORE_TYPE.getName(), "JKS"); + return properties; + } + + private void useSSLContextService(final Map<String, String> sslProperties) { + final SSLContextService service = new StandardSSLContextService(); + try { + controller.addControllerService("ssl-service", service, sslProperties); + controller.enableControllerService(service); + } catch (InitializationException ex) { + ex.printStackTrace(); + Assert.fail("Could not create SSL Context Service"); + } + + controller.setProperty(GetHTTP.SSL_CONTEXT_SERVICE, "ssl-service"); + } + }
