[GitHub] anmolnar commented on a change in pull request #681: ZOOKEEPER-3176: Quorum TLS - add SSL config options

Mon, 14 Jan 2019 06:30:40 -0800 

anmolnar commented on a change in pull request #681: ZOOKEEPER-3176: Quorum TLS 
- add SSL config options
URL: https://github.com/apache/zookeeper/pull/681#discussion_r247509842
 
 

 ##########
 File path: 
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
 ##########
 @@ -82,7 +83,187 @@
 
     public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
 
+    /**
+     * Enum specifying the client auth requirement of server-side TLS sockets 
created by this X509Util.
+     * <ul>
+     *     <li>NONE - do not request a client certificate.</li>
+     *     <li>WANT - request a client certificate, but allow anonymous 
clients to connect.</li>
+     *     <li>NEED - require a client certificate, disconnect anonymous 
clients.</li>
+     * </ul>
+     *
+     * If the config property is not set, the default value is NEED.
+     */
+    public enum ClientAuth {
+        NONE,
+        WANT,
+        NEED;
+
+        /**
+         * Converts a property value to a ClientAuth enum. If the input string 
is empty or null, returns
+         * <code>ClientAuth.NEED</code>.
+         * @param prop the property string.
+         * @return the ClientAuth.
+         * @throws IllegalArgumentException if the property value is not 
"NONE", "WANT", "NEED", or empty/null.
+         */
+        public static ClientAuth fromPropertyValue(String prop) {
+            if (prop == null || prop.length() == 0) {
+                return NEED;
+            }
+            return ClientAuth.valueOf(prop.toUpperCase());
+        }
+    }
+
+    /**
+     * Wrapper class for an SSLContext + some config options that can't be set 
on the context when it is created but
+     * must be set on a secure socket created by the context after the socket 
creation. By wrapping the options in this
+     * class we avoid reading from global system properties during socket 
configuration. This makes testing easier
+     * since we can create different X509Util instances with different 
configurations in a single test process, and
+     * unit test interactions between them.
+     */
+    public class SSLContextAndOptions {
 
 Review comment:
   I think this class is big enough to live in a separate file.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to