[oozie] branch master updated: OOZIE-3312 Add support for HSTS (kmarton via asalamon74)

Mon, 11 Mar 2019 03:53:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

asalamon74 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/oozie.git


The following commit(s) were added to refs/heads/master by this push:
     new e46483c  OOZIE-3312 Add support for HSTS (kmarton via asalamon74)
e46483c is described below

commit e46483cfe7ab4858afeac94a370ee8a3e449516f
Author: Andras Salamon <[email protected]>
AuthorDate: Mon Mar 11 11:52:58 2019 +0100

    OOZIE-3312 Add support for HSTS (kmarton via asalamon74)
---
 core/src/main/resources/oozie-default.xml          |  8 ++++++
 docs/src/site/markdown/AG_Install.md               |  4 +++
 release-log.txt                                    |  1 +
 .../oozie/server/SSLServerConnectorFactory.java    |  9 +++++-
 .../server/TestSSLServerConnectorFactory.java      | 32 ++++++++++++++++++++++
 5 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/core/src/main/resources/oozie-default.xml 
b/core/src/main/resources/oozie-default.xml
index c7f2bec..811c8b9 100644
--- a/core/src/main/resources/oozie-default.xml
+++ b/core/src/main/resources/oozie-default.xml
@@ -2782,6 +2782,14 @@ will be the requeue interval for the actions which are 
waiting for a long time w
     </property>
 
     <property>
+        <name>oozie.hsts.max.age.seconds</name>
+        <value>31536000</value>
+        <description>
+            Strict Transport Security max age in seconds if SSL is enabled. 
Ideally it is set to one year (31536000 sec).
+        </description>
+    </property>
+
+    <property>
         <name>oozie.jsp.tmp.dir</name>
         <value>/tmp</value>
         <description>
diff --git a/docs/src/site/markdown/AG_Install.md 
b/docs/src/site/markdown/AG_Install.md
index 270b98f..100f7c5 100644
--- a/docs/src/site/markdown/AG_Install.md
+++ b/docs/src/site/markdown/AG_Install.md
@@ -941,6 +941,10 @@ included with your JRE. If it's not on your path, you 
should be able to find it
     - To include / exclude TLS protocols, set `oozie.https.include.protocols` 
/ `oozie.https.exclude.protocols`.
     **Note:** Exclude is always preferred over include (i.e. if you both 
include and exclude an entity, it will be excluded).
 
+    **Note:** When SSL is enabled, HTTP Strict-Transport_security (HSTS) is 
also enabled. The default value for max-age is
+    31536000 (one year). This can be changed by setting 
`oozie.hsts.max.age.seconds` property.
+    Setting it to `0` or `negative value`, will disable HSTS.
+
 3. Start the Oozie server
 
     **Note:** If using Oozie HA, make sure that each Oozie server has a copy 
of the .keystore file.
diff --git a/release-log.txt b/release-log.txt
index 6e6586e..8a60154 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 5.2.0 release (trunk - unreleased)
 
+OOZIE-3312 Add support for HSTS (kmarton via asalamon74)
 OOZIE-3207 Update ASF root pom version (asalamon74 via kmarton)
 OOZIE-1624 Exclusion pattern for sharelib JARs (puru, matijhs via asalamon74, 
andras.piros)
 OOZIE-2693 SimpleHCatDependencyCache.removeMissingDependency can throw NPE 
(puru via asalamon74)
diff --git 
a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java 
b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
index 466cefc..aea02a0 100644
--- 
a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
+++ 
b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
@@ -19,6 +19,7 @@
 package org.apache.oozie.server;
 
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.inject.Inject;
 import org.apache.hadoop.conf.Configuration;
@@ -47,6 +48,9 @@ class SSLServerConnectorFactory {
     public static final String OOZIE_HTTPS_INCLUDE_PROTOCOLS = 
"oozie.https.include.protocols";
     public static final String OOZIE_HTTPS_INCLUDE_CIPHER_SUITES = 
"oozie.https.include.cipher.suites";
     public static final String OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES = 
"oozie.https.exclude.cipher.suites";
+    public static final String OOZIE_HSTS_MAX_AGE_SECONDS = 
"oozie.hsts.max.age.seconds";
+    @VisibleForTesting
+    static final long OOZIE_DEFAULT_HSTS_MAX_AGE = 31536000;
 
     private SslContextFactory sslContextFactory;
     private Configuration conf;
@@ -144,7 +148,10 @@ class SSLServerConnectorFactory {
     private HttpConfiguration getHttpsConfiguration() {
         HttpConfiguration https = new 
HttpConfigurationWrapper(conf).getDefaultHttpConfiguration();
         https.setSecureScheme("https");
-        https.addCustomizer(new SecureRequestCustomizer());
+        long htsMaxAgeSeconds = conf.getLong(OOZIE_HSTS_MAX_AGE_SECONDS, 
OOZIE_DEFAULT_HSTS_MAX_AGE);
+        boolean sniHostCheck = true;
+        boolean stsIncludeSubdomains = false;
+        https.addCustomizer(new SecureRequestCustomizer(sniHostCheck, 
htsMaxAgeSeconds, stsIncludeSubdomains));
         return https;
     }
 }
diff --git 
a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
 
b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
index f926a09..1e010c1 100644
--- 
a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
+++ 
b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
@@ -19,6 +19,9 @@
 package org.apache.oozie.server;
 
 import org.apache.hadoop.conf.Configuration;
+import org.eclipse.jetty.http.HttpVersion;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
@@ -40,6 +43,7 @@ import static 
org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCL
 import static 
org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_FILE;
 import static 
org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_PASS;
 import static org.apache.oozie.util.ConfigUtils.OOZIE_HTTP_PORT;
+import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
@@ -77,6 +81,7 @@ public class TestSSLServerConnectorFactory {
 
     @After
     public void tearDown() {
+        testConfig.clear();
         verify(mockSSLContextFactory).setKeyStorePath(anyString());
         verify(mockSSLContextFactory).setKeyManagerPassword(anyString());
         verifyNoMoreInteractions(
@@ -143,4 +148,31 @@ public class TestSSLServerConnectorFactory {
                 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
     }
+
+    @Test
+    public void testHSTSDefault() {
+        checkHSTSMaxAge(SSLServerConnectorFactory.OOZIE_DEFAULT_HSTS_MAX_AGE);
+    }
+
+    @Test
+    public void testHSTSDisabled() {
+        long maxAge = -1;
+        
testConfig.setLong(SSLServerConnectorFactory.OOZIE_HSTS_MAX_AGE_SECONDS,maxAge);
+        checkHSTSMaxAge(maxAge);
+    }
+
+    @Test
+    public void testHSTSCustomMaxAge() {
+        long maxAge = 3600;
+        
testConfig.setLong(SSLServerConnectorFactory.OOZIE_HSTS_MAX_AGE_SECONDS,maxAge);
+        checkHSTSMaxAge(maxAge);
+
+    }
+
+    private void checkHSTSMaxAge(final long expectedMaxAge) {
+        ServerConnector connector = 
sslServerConnectorFactory.createSecureServerConnector(42, testConfig, 
mockServer);
+        HttpConnectionFactory factory = 
(HttpConnectionFactory)connector.getConnectionFactory(HttpVersion.HTTP_1_1.asString());
+        long actualMaxAge = 
factory.getHttpConfiguration().getCustomizer(SecureRequestCustomizer.class).getStsMaxAge();
+        assertEquals("HSTS max age mismatch", expectedMaxAge, actualMaxAge);
+    }
 }

Reply via email to