flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pnowojski <...@git.apache.org>
Subject [GitHub] flink pull request #6355: [FLINK-9878][network][ssl] add more low-level ssl ...
Date Mon, 23 Jul 2018 09:29:34 GMT
Github user pnowojski commented on a diff in the pull request:

    https://github.com/apache/flink/pull/6355#discussion_r204328091
  
    --- Diff: flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
    @@ -163,80 +163,188 @@ public static void setSSLVerifyHostname(Configuration sslConfig,
SSLParameters s
     	}
     
     	/**
    -	 * Creates the SSL Context for the client if SSL is configured.
    +	 * Configuration settings and key/trustmanager instances to set up an SSL client connection.
    +	 */
    +	public static class SSLClientConfiguration {
    +		public final String sslProtocolVersion;
    +		public final TrustManagerFactory trustManagerFactory;
    +		public final int sessionCacheSize;
    +		public final int sessionTimeoutMs;
    +		public final int handshakeTimeoutMs;
    +		public final int closeNotifyFlushTimeoutMs;
    +
    +		public SSLClientConfiguration(
    +				String sslProtocolVersion,
    +				TrustManagerFactory trustManagerFactory,
    +				int sessionCacheSize,
    +				int sessionTimeoutMs,
    +				int handshakeTimeoutMs,
    +				int closeNotifyFlushTimeoutMs) {
    +			this.sslProtocolVersion = sslProtocolVersion;
    +			this.trustManagerFactory = trustManagerFactory;
    +			this.sessionCacheSize = sessionCacheSize;
    +			this.sessionTimeoutMs = sessionTimeoutMs;
    +			this.handshakeTimeoutMs = handshakeTimeoutMs;
    +			this.closeNotifyFlushTimeoutMs = closeNotifyFlushTimeoutMs;
    +		}
    +	}
    +
    +	/**
    +	 * Creates necessary helper objects to use for creating an SSL Context for the client
if SSL is
    +	 * configured.
     	 *
     	 * @param sslConfig
     	 *        The application configuration
    -	 * @return The SSLContext object which can be used by the ssl transport client
    -	 * 	       Returns null if SSL is disabled
    +	 * @return The SSLClientConfiguration object which can be used for creating some SSL
context object;
    +	 * 	       returns <tt>null</tt> if SSL is disabled.
     	 * @throws Exception
     	 *         Thrown if there is any misconfiguration
     	 */
     	@Nullable
    -	public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception
{
    -
    +	public static SSLClientConfiguration createSSLClientConfiguration(Configuration sslConfig)
throws Exception {
     		Preconditions.checkNotNull(sslConfig);
    -		SSLContext clientSSLContext = null;
     
     		if (getSSLEnabled(sslConfig)) {
    -			LOG.debug("Creating client SSL context from configuration");
    +			LOG.debug("Creating client SSL configuration");
     
     			String trustStoreFilePath = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
     			String trustStorePassword = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
     			String sslProtocolVersion = sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
    +			int sessionCacheSize = sslConfig.getInteger(SecurityOptions.SSL_SESSION_CACHE_SIZE);
    +			int sessionTimeoutMs = sslConfig.getInteger(SecurityOptions.SSL_SESSION_TIMEOUT);
    +			int handshakeTimeoutMs = sslConfig.getInteger(SecurityOptions.SSL_HANDSHAKE_TIMEOUT);
    +			int closeNotifyFlushTimeoutMs = sslConfig.getInteger(SecurityOptions.SSL_CLOSE_NOTIFY_FLUSH_TIMEOUT);
     
     			Preconditions.checkNotNull(trustStoreFilePath, SecurityOptions.SSL_TRUSTSTORE.key()
+ " was not configured.");
     			Preconditions.checkNotNull(trustStorePassword, SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key()
+ " was not configured.");
     
     			KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
     
    -			FileInputStream trustStoreFile = null;
    -			try {
    -				trustStoreFile = new FileInputStream(new File(trustStoreFilePath));
    +			try (FileInputStream trustStoreFile = new FileInputStream(new File(trustStoreFilePath)))
{
     				trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
    -			} finally {
    -				if (trustStoreFile != null) {
    -					trustStoreFile.close();
    -				}
     			}
     
     			TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
     				TrustManagerFactory.getDefaultAlgorithm());
     			trustManagerFactory.init(trustStore);
     
    -			clientSSLContext = SSLContext.getInstance(sslProtocolVersion);
    -			clientSSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
    +			return new SSLClientConfiguration(
    +				sslProtocolVersion,
    +				trustManagerFactory,
    +				sessionCacheSize,
    +				sessionTimeoutMs,
    +				handshakeTimeoutMs,
    +				closeNotifyFlushTimeoutMs);
    +		}
    +
    +		return null;
    +	}
    +
    +	/**
    +	 * Creates the SSL Context for the client assuming SSL is configured.
    +	 *
    +	 * @param sslConfig
    +	 *        SSL configuration
    +	 * @return The SSLContext object which can be used by the ssl transport client
    +	 * @throws Exception
    +	 *         Thrown if there is any misconfiguration
    +	 */
    +	public static SSLContext createSSLClientContext(SSLClientConfiguration sslConfig) throws
Exception {
    +		Preconditions.checkNotNull(sslConfig);
    +
    +		LOG.debug("Creating client SSL context from configuration");
    +		SSLContext clientSSLContext = SSLContext.getInstance(sslConfig.sslProtocolVersion);
    +		clientSSLContext.init(null, sslConfig.trustManagerFactory.getTrustManagers(), null);
    +		if (sslConfig.sessionCacheSize >= 0) {
    +			clientSSLContext.getClientSessionContext().setSessionCacheSize(sslConfig.sessionCacheSize);
    +		}
    +		if (sslConfig.sessionTimeoutMs >= 0) {
    +			clientSSLContext.getClientSessionContext().setSessionTimeout(sslConfig.sessionTimeoutMs
/ 1000);
     		}
     
     		return clientSSLContext;
     	}
     
     	/**
    -	 * Creates the SSL Context for the server if SSL is configured.
    +	 * Creates the SSL Context for the client if SSL is configured.
     	 *
     	 * @param sslConfig
     	 *        The application configuration
    -	 * @return The SSLContext object which can be used by the ssl transport server
    +	 * @return The SSLContext object which can be used by the ssl transport client
     	 * 	       Returns null if SSL is disabled
     	 * @throws Exception
     	 *         Thrown if there is any misconfiguration
     	 */
     	@Nullable
    -	public static SSLContext createSSLServerContext(Configuration sslConfig) throws Exception
{
    +	public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception
{
    +		Preconditions.checkNotNull(sslConfig);
    +		SSLContext clientSSLContext = null;
    +
    +		if (getSSLEnabled(sslConfig)) {
    +			SSLClientConfiguration clientConfiguration = createSSLClientConfiguration(sslConfig);
    +			clientSSLContext = createSSLClientContext(clientConfiguration);
    +		}
     
    +		return clientSSLContext;
    +	}
    +
    +	/**
    +	 * Configuration settings and key/trustmanager instances to set up an SSL server connection.
    +	 */
    +	public static class SSLServerConfiguration {
    --- End diff --
    
    Another code duplication. Extract common properties to `SSLClientServerCommonConfiguration`?


---

Mime
View raw message