You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by xi...@apache.org on 2024/02/17 04:38:25 UTC
(pinot) branch master updated: Adding support to insecure TLS when creating SSLFactory (#12425)
This is an automated email from the ASF dual-hosted git repository.
xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 706dd5926d Adding support to insecure TLS when creating SSLFactory (#12425)
706dd5926d is described below
commit 706dd5926d76744215041124dfafe660866cd64e
Author: Haitao Zhang <ha...@startree.ai>
AuthorDate: Fri Feb 16 20:38:18 2024 -0800
Adding support to insecure TLS when creating SSLFactory (#12425)
---
.../org/apache/pinot/common/utils/TlsUtils.java | 25 +++++++++++++---------
.../apache/pinot/common/utils/TlsUtilsTest.java | 10 ++++-----
2 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
index bfc833c129..6e46bcd96d 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
@@ -246,11 +246,11 @@ public final class TlsUtils {
SecureRandom secureRandom = new SecureRandom();
SSLFactory sslFactory = createSSLFactory(keyStoreType, keyStorePath, keyStorePassword,
trustStoreType, trustStorePath, trustStorePassword,
- "SSL", secureRandom, true);
+ "SSL", secureRandom, true, false);
if (isKeyOrTrustStorePathNullOrHasFileScheme(keyStorePath)
&& isKeyOrTrustStorePathNullOrHasFileScheme(trustStorePath)) {
enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, keyStoreType, keyStorePath, keyStorePassword,
- trustStoreType, trustStorePath, trustStorePassword, "SSL", secureRandom);
+ trustStoreType, trustStorePath, trustStorePassword, "SSL", secureRandom, false);
}
// HttpsURLConnection
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory());
@@ -387,14 +387,14 @@ public final class TlsUtils {
enableAutoRenewalFromFileStoreForSSLFactory(sslFactory,
tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(),
tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(),
- null, null);
+ null, null, tlsConfig.isInsecure());
}
private static void enableAutoRenewalFromFileStoreForSSLFactory(
SSLFactory sslFactory,
String keyStoreType, String keyStorePath, String keyStorePassword,
String trustStoreType, String trustStorePath, String trustStorePassword,
- String sslContextProtocol, SecureRandom secureRandom) {
+ String sslContextProtocol, SecureRandom secureRandom, boolean isInsecure) {
try {
URL keyStoreURL = keyStorePath == null ? null : makeKeyOrTrustStoreUrl(keyStorePath);
URL trustStoreURL = trustStorePath == null ? null : makeKeyOrTrustStoreUrl(trustStorePath);
@@ -426,7 +426,7 @@ public final class TlsUtils {
reloadSslFactoryWhenFileStoreChanges(sslFactory,
keyStoreType, keyStorePath, keyStorePassword,
trustStoreType, trustStorePath, trustStorePassword,
- sslContextProtocol, secureRandom);
+ sslContextProtocol, secureRandom, isInsecure);
} catch (Exception e) {
throw new RuntimeException(e);
}
@@ -440,7 +440,7 @@ public final class TlsUtils {
static void reloadSslFactoryWhenFileStoreChanges(SSLFactory baseSslFactory,
String keyStoreType, String keyStorePath, String keyStorePassword,
String trustStoreType, String trustStorePath, String trustStorePassword,
- String sslContextProtocol, SecureRandom secureRandom)
+ String sslContextProtocol, SecureRandom secureRandom, boolean isInsecure)
throws IOException, URISyntaxException, InterruptedException {
LOGGER.info("Enable auto renewal of SSLFactory {} when key store {} or trust store {} changes",
baseSslFactory, keyStorePath, trustStorePath);
@@ -466,7 +466,7 @@ public final class TlsUtils {
try {
SSLFactory updatedSslFactory =
createSSLFactory(keyStoreType, keyStorePath, keyStorePassword, trustStoreType, trustStorePath,
- trustStorePassword, sslContextProtocol, secureRandom, false);
+ trustStorePassword, sslContextProtocol, secureRandom, false, isInsecure);
SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory);
LOGGER.info("Successfully renewed SSLFactory {} (built from key store {} and truststore {}) on file"
+ " {} changes", baseSslFactory, keyStorePath, trustStorePath, changedFile);
@@ -511,14 +511,14 @@ public final class TlsUtils {
return createSSLFactory(
tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(),
tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(),
- null, null, true);
+ null, null, true, tlsConfig.isInsecure());
}
@VisibleForTesting
static SSLFactory createSSLFactory(
String keyStoreType, String keyStorePath, String keyStorePassword,
String trustStoreType, String trustStorePath, String trustStorePassword,
- String sslContextProtocol, SecureRandom secureRandom, boolean keyAndTrustMaterialSwappable) {
+ String sslContextProtocol, SecureRandom secureRandom, boolean keyAndTrustMaterialSwappable, boolean isInsecure) {
try {
SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder();
InputStream keyStoreStream = null;
@@ -531,7 +531,12 @@ public final class TlsUtils {
}
sslFactoryBuilder.withIdentityMaterial(keyStoreStream, keyStorePassword.toCharArray(), keyStoreType);
}
- if (trustStorePath != null) {
+ if (isInsecure) {
+ if (keyAndTrustMaterialSwappable) {
+ sslFactoryBuilder.withSwappableTrustMaterial();
+ }
+ sslFactoryBuilder.withUnsafeTrustMaterial();
+ } else if (trustStorePath != null) {
Preconditions.checkNotNull(trustStorePassword, "trust store password must not be null");
trustStoreStream = makeKeyOrTrustStoreUrl(trustStorePath).openStream();
if (keyAndTrustMaterialSwappable) {
diff --git a/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
index 589dc5e654..21c0e7b92a 100644
--- a/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
+++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
@@ -131,7 +131,7 @@ public class TlsUtilsTest {
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), secureRandom);
SSLFactory sslFactory =
TlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD,
- TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true);
+ TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false);
KeyManagerFactory swappableKeyManagerFactory = sslFactory.getKeyManagerFactory().get();
assertEquals(swappableKeyManagerFactory.getKeyManagers().length, keyManagerFactory.getKeyManagers().length);
assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 1);
@@ -173,7 +173,7 @@ public class TlsUtilsTest {
throws IOException, URISyntaxException, InterruptedException {
SecureRandom secureRandom = new SecureRandom();
SSLFactory sslFactory = TlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE,
- TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true);
+ TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false);
X509ExtendedKeyManager x509ExtendedKeyManager = sslFactory.getKeyManager().get();
X509ExtendedTrustManager x509ExtendedTrustManager = sslFactory.getTrustManager().get();
SSLContext sslContext = sslFactory.getSslContext();
@@ -188,7 +188,7 @@ public class TlsUtilsTest {
() -> {
try {
TlsUtils.reloadSslFactoryWhenFileStoreChanges(sslFactory, KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD,
- TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom);
+ TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, false);
} catch (Exception e) {
throw new RuntimeException(e);
}
@@ -231,7 +231,7 @@ public class TlsUtilsTest {
public void enableAutoRenewalFromFileStoreForSSLFactoryThrows() {
SSLFactory swappableSslFactory =
TlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE,
- TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, true);
+ TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, true, false);
TlsConfig tlsConfig = new TlsConfig();
tlsConfig.setKeyStoreType(KEYSTORE_TYPE);
tlsConfig.setKeyStorePath("ftp://" + TLS_KEYSTORE_FILE_PATH);
@@ -262,7 +262,7 @@ public class TlsUtilsTest {
SSLFactory nonSwappableSslFactory =
TlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE,
- TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, false);
+ TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, false, false);
e = null;
tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH);
try {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org