[GitHub] [nifi] exceptionfactory commented on a change in pull request #4733: NIFI-8067: Fix 1-way SSL in GRPC processors

GitBox Mon, 04 Jan 2021 13:58:50 -0800


exceptionfactory commented on a change in pull request #4733:
URL: https://github.com/apache/nifi/pull/4733#discussion_r551593919




##########
File path: 
nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/ListenGRPC.java
##########
@@ -153,70 +162,83 @@
         return RELATIONSHIPS;
     }
 
-
     @Override
     protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
         return PROPERTIES;
     }
 
+    @Override
+    protected Collection<ValidationResult> customValidate(ValidationContext 
context) {
+        List<ValidationResult> results = new 
ArrayList<>(super.customValidate(context));
+
+        final boolean useSecure = 
context.getProperty(PROP_USE_SECURE).asBoolean();
+        final boolean sslContextServiceConfigured = 
context.getProperty(PROP_SSL_CONTEXT_SERVICE).isSet();
+
+        if (useSecure && !sslContextServiceConfigured) {
+            results.add(new ValidationResult.Builder()
+                    .subject(PROP_SSL_CONTEXT_SERVICE.getDisplayName())
+                    .valid(false)
+                    .explanation(String.format("'%s' must be configured when 
'%s' is true", PROP_SSL_CONTEXT_SERVICE.getDisplayName(), 
PROP_USE_SECURE.getDisplayName()))
+                    .build());
+        }
+
+        return results;
+    }
 
     @OnScheduled
     public void startServer(final ProcessContext context) throws 
NoSuchAlgorithmException, IOException, KeyStoreException, CertificateException, 
UnrecoverableKeyException {
         final ComponentLog logger = getLogger();
         // gather configured properties
         final Integer port = 
context.getProperty(PROP_SERVICE_PORT).asInteger();
         final Boolean useSecure = 
context.getProperty(PROP_USE_SECURE).asBoolean();
-        final Integer flowControlWindow = 
context.getProperty(PROP_FLOW_CONTROL_WINDOW).asDataSize(DataUnit.B).intValue();
-        final Integer maxMessageSize = 
context.getProperty(PROP_MAX_MESSAGE_SIZE).asDataSize(DataUnit.B).intValue();
+        final int flowControlWindow = 
context.getProperty(PROP_FLOW_CONTROL_WINDOW).asDataSize(DataUnit.B).intValue();
+        final int maxMessageSize = 
context.getProperty(PROP_MAX_MESSAGE_SIZE).asDataSize(DataUnit.B).intValue();
         final SSLContextService sslContextService = 
context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-        final SSLContext sslContext = sslContextService == null ? null : 
sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE);
         final Pattern authorizedDnPattern = 
Pattern.compile(context.getProperty(PROP_AUTHORIZED_DN_PATTERN).getValue());
         final FlowFileIngestServiceInterceptor callInterceptor = new 
FlowFileIngestServiceInterceptor(getLogger());
         callInterceptor.enforceDNPattern(authorizedDnPattern);
 
         final FlowFileIngestService flowFileIngestService = new 
FlowFileIngestService(getLogger(),
                 sessionFactoryReference,
                 context);
-        NettyServerBuilder serverBuilder = NettyServerBuilder.forPort(port)
+        final NettyServerBuilder serverBuilder = 
NettyServerBuilder.forPort(port)
                 
.addService(ServerInterceptors.intercept(flowFileIngestService, 
callInterceptor))
                 // default (de)compressor registries handle both plaintext and 
gzip compressed messages
                 .compressorRegistry(CompressorRegistry.getDefaultInstance())
                 
.decompressorRegistry(DecompressorRegistry.getDefaultInstance())
                 .flowControlWindow(flowControlWindow)
-                .maxMessageSize(maxMessageSize);
+                .maxInboundMessageSize(maxMessageSize);
 
-        if (useSecure && sslContext != null) {
+        if (useSecure) {
             // construct key manager
             if (StringUtils.isBlank(sslContextService.getKeyStoreFile())) {
                 throw new IllegalStateException("SSL is enabled, but no 
keystore has been configured. You must configure a keystore.");
             }
 
-            final KeyManagerFactory keyManagerFactory = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(),
-                    sslContext.getProvider());
+            final KeyManagerFactory keyManagerFactory = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
             final KeyStore keyStore = 
KeyStore.getInstance(sslContextService.getKeyStoreType());
             try (final InputStream is = new 
FileInputStream(sslContextService.getKeyStoreFile())) {
                 keyStore.load(is, 
sslContextService.getKeyStorePassword().toCharArray());
             }
             keyManagerFactory.init(keyStore, 
sslContextService.getKeyStorePassword().toCharArray());
 
-            SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(keyManagerFactory);
+            final SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(keyManagerFactory);
 
             // if the trust store is configured, then client auth is required.
             if (StringUtils.isNotBlank(sslContextService.getTrustStoreFile())) 
{
-                final TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(),
-                        sslContext.getProvider());
+                final TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                 final KeyStore trustStore = 
KeyStore.getInstance(sslContextService.getTrustStoreType());
                 try (final InputStream is = new 
FileInputStream(sslContextService.getTrustStoreFile())) {
                     trustStore.load(is, 
sslContextService.getTrustStorePassword().toCharArray());
                 }
                 trustManagerFactory.init(trustStore);
-                sslContextBuilder = 
sslContextBuilder.trustManager(trustManagerFactory);
-                sslContextBuilder = 
sslContextBuilder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
+                sslContextBuilder.trustManager(trustManagerFactory);
+                sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
             } else {
-                sslContextBuilder = 
sslContextBuilder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
+                sslContextBuilder.clientAuth(ClientAuth.NONE);
             }
-            sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder);
-            serverBuilder = 
serverBuilder.sslContext(sslContextBuilder.build());
+            GrpcSslContexts.configure(sslContextBuilder);

Review comment:
       You are correct, after looking more closely at 
`GrpcSslContexts.configure()`, it does appear to be setting some protocol 
options based on the runtime platform.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a change in pull request #4733: NIFI-8067: Fix 1-way SSL in GRPC processors

Reply via email to