You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tinkerpop.apache.org by rd...@apache.org on 2018/09/04 17:16:39 UTC
[1/9] tinkerpop git commit: TINKERPOP-2023 minor edits
Repository: tinkerpop
Updated Branches:
refs/heads/tp33 98ab1b05a -> e1c46b265
TINKERPOP-2023 minor edits
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/6434d040
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/6434d040
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/6434d040
Branch: refs/heads/tp33
Commit: 6434d0406c13ca2b5315fbfd0ff1c7b49c2fddfe
Parents: d05e3c5
Author: Robert Dale <ro...@gmail.com>
Authored: Mon Aug 13 15:45:27 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400
----------------------------------------------------------------------
docs/src/reference/gremlin-applications.asciidoc | 4 ++--
docs/src/upgrade/release-3.2.x-incubating.asciidoc | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/6434d040/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc
index 8ad8a0a..d13e2ef 100644
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@ -751,7 +751,7 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|connectionPool.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|connectionPool.sslSkipCertValidation |Configures the `TrustManager` to trust all certs without any validation. Should not be used in production.|false
-|connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be uesd. |_none_
+|connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|connectionPool.trustStore |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|connectionPool.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|hosts |The list of hosts that the driver will connect to. |localhost
@@ -1161,7 +1161,7 @@ The following table describes the various configuration options that Gremlin Ser
|ssl.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
|ssl.keyStore |The private key in JKS or PKCS#12 format. |_none_
|ssl.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
-|ssl.keyStoreType |JKS (Java 8 default) or PKCS#12 (Java 9+ default) |_none_
+|ssl.keyStoreType |`JKS` (Java 8 default) or `PKCS12` (Java 9+ default) |_none_
|ssl.needClientAuth | Optional. One of NONE, OPTIONAL, REQUIRE. Enables client certificate authentication at the enforcement level specified. Can be used in combination with Authenticator. |_none_
|ssl.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|ssl.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/6434d040/docs/src/upgrade/release-3.2.x-incubating.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/upgrade/release-3.2.x-incubating.asciidoc b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
index 9b0a120..ec973de 100644
--- a/docs/src/upgrade/release-3.2.x-incubating.asciidoc
+++ b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
@@ -49,7 +49,8 @@ The packaged `*-secure.yaml` files now restrict the protocol to `TLSv1.2` by def
PEM-based configurations are deprecated and may be removed in a future release.
-See the section on configuring SSL.
+See also http://tinkerpop.apache.org/docs/current/reference/#_configuration[Connecting via Java Configuration],
+http://tinkerpop.apache.org/docs/current/reference/#_configuring_2[Gremlin Server Configuration].
link:https://issues.apache.org/jira/browse/TINKERPOP-2022[TINKERPOP-2022]
link:https://issues.apache.org/jira/browse/TINKERPOP-2023[TINKERPOP-2023]
[6/9] tinkerpop git commit: Removed deprecated settings from docs,
updated javadoc
Posted by rd...@apache.org.
Removed deprecated settings from docs, updated javadoc
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/bbc0265c
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/bbc0265c
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/bbc0265c
Branch: refs/heads/tp33
Commit: bbc0265c06f803d06ec2b6a600d4632d3f7d7d9b
Parents: 6434d04
Author: Robert Dale <ro...@gmail.com>
Authored: Fri Aug 17 15:47:27 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:47:27 2018 -0400
----------------------------------------------------------------------
.../src/reference/gremlin-applications.asciidoc | 8 ----
.../tinkerpop/gremlin/driver/Cluster.java | 42 +++++++++++---------
.../tinkerpop/gremlin/driver/Settings.java | 10 ++---
.../tinkerpop/gremlin/server/Settings.java | 34 ++++++++--------
4 files changed, 46 insertions(+), 48 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/bbc0265c/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc
index d13e2ef..8372a8a 100644
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@ -730,9 +730,6 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.channelizer |The fully qualified classname of the client `Channelizer` that defines how to connect to the server. |`Channelizer.WebSocketChannelizer`
|connectionPool.enableSsl |Determines if SSL should be enabled or not. If enabled on the server then it must be enabled on the client. |false
|connectionPool.keepAliveInterval |Length of time in milliseconds to wait on an idle connection before sending a keep-alive request. Set to zero to disable this feature. |1800000
-|connectionPool.keyCertChainFile |The X.509 certificate chain file in PEM format. |_none_
-|connectionPool.keyFile |The `PKCS#8` private key file in PEM format. |_none_
-|connectionPool.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
|connectionPool.keyStore |The private key in JKS or PKCS#12 format. |_none_
|connectionPool.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
|connectionPool.keyStoreType |`JKS` (Java 8 default) or `PKCS12` (Java 9+ default)|_none_
@@ -751,7 +748,6 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|connectionPool.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|connectionPool.sslSkipCertValidation |Configures the `TrustManager` to trust all certs without any validation. Should not be used in production.|false
-|connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|connectionPool.trustStore |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|connectionPool.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|hosts |The list of hosts that the driver will connect to. |localhost
@@ -1156,16 +1152,12 @@ The following table describes the various configuration options that Gremlin Ser
|serializers[X].className |The full class name of the `MessageSerializer` implementation. |_none_
|serializers[X].config |A `Map` containing `MessageSerializer` specific configurations. |_none_
|ssl.enabled |Determines if SSL is turned on or not. |false
-|ssl.keyCertChainFile |The X.509 certificate chain file in PEM format.|_none_
-|ssl.keyFile |The `PKCS#8` private key file in PEM format.|_none_
-|ssl.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
|ssl.keyStore |The private key in JKS or PKCS#12 format. |_none_
|ssl.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
|ssl.keyStoreType |`JKS` (Java 8 default) or `PKCS12` (Java 9+ default) |_none_
|ssl.needClientAuth | Optional. One of NONE, OPTIONAL, REQUIRE. Enables client certificate authentication at the enforcement level specified. Can be used in combination with Authenticator. |_none_
|ssl.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|ssl.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
-|ssl.trustCertChainFile | Required when needClientAuth is OPTIONAL or REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. The file should contain an X.509 certificate chain in PEM format. |_none_
|ssl.trustStore |Required when needClientAuth is OPTIONAL or REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|ssl.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|strictTransactionManagement |Set to `true` to require `aliases` to be submitted on every requests, where the `aliases` become the scope of transaction management. |false
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/bbc0265c/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
index 6e4ef25..7ae8d2d 100644
--- a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
+++ b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
@@ -569,11 +569,11 @@ public final class Cluster {
private String keyCertChainFile = null;
private String keyFile = null;
private String keyPassword = null;
- private String keyStore;
- private String keyStorePassword;
- private String trustStore;
- private String trustStorePassword;
- private String keyStoreType;
+ private String keyStore = null;
+ private String keyStorePassword = null;
+ private String trustStore = null;
+ private String trustStorePassword = null;
+ private String keyStoreType = null;
private List<String> sslEnabledProtocols = new ArrayList<>();
private List<String> sslCipherSuites = new ArrayList<>();
private boolean sslSkipCertValidation = false;
@@ -655,9 +655,8 @@ public final class Cluster {
/**
* File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and
- * SSL is enabled, the {@link TrustManager} will be established with a self-signed certificate which is NOT
- * suitable for production purposes.
- * @deprecated
+ * SSL is enabled, the default {@link TrustManager} will be used.
+ * @deprecated As of release 3.2.10, replaced by {@link trustStore}
*/
@Deprecated
public Builder trustCertificateChainFile(final String certificateChainFile) {
@@ -677,7 +676,7 @@ public final class Cluster {
/**
* The X.509 certificate chain file in PEM format.
- * @deprecated
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public Builder keyCertChainFile(final String keyCertChainFile) {
@@ -687,7 +686,7 @@ public final class Cluster {
/**
* The PKCS#8 private key file in PEM format.
- * @deprecated
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public Builder keyFile(final String keyFile) {
@@ -697,7 +696,7 @@ public final class Cluster {
/**
* The password of the {@link #keyFile}, or {@code null} if it's not password-protected.
- * @deprecated
+ * @deprecated As of release 3.2.10, replaced by {@link keyStorePassword}
*/
@Deprecated
public Builder keyPassword(final String keyPassword) {
@@ -706,7 +705,7 @@ public final class Cluster {
}
/**
- *
+ * The file location of the private key in JKS or PKCS#12 format.
*/
public Builder keyStore(final String keyStore) {
this.keyStore = keyStore;
@@ -714,7 +713,7 @@ public final class Cluster {
}
/**
- *
+ * The password of the {@link #keyStore}, or {@code null} if it's not password-protected.
*/
public Builder keyStorePassword(final String keyStorePassword) {
this.keyStorePassword = keyStorePassword;
@@ -722,7 +721,8 @@ public final class Cluster {
}
/**
- *
+ * The file location for a SSL Certificate Chain to use when SSL is enabled. If
+ * this value is not provided and SSL is enabled, the default {@link TrustManager} will be used.
*/
public Builder trustStore(final String trustStore) {
this.trustStore = trustStore;
@@ -730,7 +730,7 @@ public final class Cluster {
}
/**
- *
+ * The password of the {@link #trustStore}, or {@code null} if it's not password-protected.
*/
public Builder trustStorePassword(final String trustStorePassword) {
this.trustStorePassword = trustStorePassword;
@@ -738,7 +738,7 @@ public final class Cluster {
}
/**
- *
+ * The format of the {@link keyStore}, either {@code JKS} or {@code PKCS12}
*/
public Builder keyStoreType(final String keyStoreType) {
this.keyStoreType = keyStoreType;
@@ -746,7 +746,9 @@ public final class Cluster {
}
/**
- *
+ * A list of SSL protocols to enable. @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols">JSSE
+ * Protocols</a>
*/
public Builder sslEnabledProtocols(final List<String> sslEnabledProtocols) {
this.sslEnabledProtocols = sslEnabledProtocols;
@@ -754,7 +756,9 @@ public final class Cluster {
}
/**
- *
+ * A list of cipher suites to enable. @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">Cipher
+ * Suites</a>
*/
public Builder sslCipherSuites(final List<String> sslCipherSuites) {
this.sslCipherSuites = sslCipherSuites;
@@ -762,7 +766,7 @@ public final class Cluster {
}
/**
- *
+ * If true, trust all certificates and do not perform any validation.
*/
public Builder sslSkipCertValidation(final boolean sslSkipCertValidation) {
this.sslSkipCertValidation = sslSkipCertValidation;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/bbc0265c/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
index 4d54792..fedd337 100644
--- a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
+++ b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
@@ -258,28 +258,28 @@ final class Settings {
/**
* The trusted certificate in PEM format.
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link trustStore}
*/
@Deprecated
public String trustCertChainFile = null;
/**
* The X.509 certificate chain file in PEM format.
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public String keyCertChainFile = null;
/**
* The PKCS#8 private key file in PEM format.
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public String keyFile = null;
/**
* The password of the {@link #keyFile}, or {@code null} if it's not password-protected.
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStorePassword}
*/
@Deprecated
public String keyPassword = null;
@@ -329,7 +329,7 @@ final class Settings {
public List<String> sslCipherSuites = new ArrayList<>();
/**
- *
+ * If true, trust all certificates and do not perform any validation.
*/
public boolean sslSkipCertValidation = false;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/bbc0265c/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
index c918f8b..4acfea0 100644
--- a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
+++ b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
@@ -51,6 +51,8 @@ import java.util.Optional;
import java.util.ServiceLoader;
import java.util.UUID;
+import javax.net.ssl.TrustManager;
+
/**
* Server settings as configured by a YAML file.
*
@@ -457,7 +459,7 @@ public class Settings {
/**
* The X.509 certificate chain file in PEM format.
*
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public String keyCertChainFile = null;
@@ -465,7 +467,7 @@ public class Settings {
/**
* The PKCS#8 private key file in PEM format.
*
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStore}
*/
@Deprecated
public String keyFile = null;
@@ -474,7 +476,7 @@ public class Settings {
* The password of the {@link #keyFile}, or {@code null} if it's not
* password-protected.
*
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link keyStorePassword}
*/
@Deprecated
public String keyPassword = null;
@@ -484,48 +486,48 @@ public class Settings {
* file should contain an X.509 certificate chain in PEM format. {@code null}
* uses the system default.
*
- * @deprecated Use JSSE-based settings
+ * @deprecated As of release 3.2.10, replaced by {@link trustStore}
*/
@Deprecated
public String trustCertChainFile = null;
/**
- * JSSE keystore file path. Similar to setting JSSE property
- * {@code javax.net.ssl.keyStore}.
+ * The file location of the private key in JKS or PKCS#12 format.
*/
public String keyStore;
/**
- * JSSE keystore password. Similar to setting JSSE property
- * {@code javax.net.ssl.keyStorePassword}.
+ * The password of the {@link #keyStore}, or {@code null} if it's not password-protected.
*/
public String keyStorePassword;
/**
- * JSSE truststore file path. Similar to setting JSSE property
- * {@code javax.net.ssl.trustStore}.
+ * Trusted certificates for verifying the remote client's certificate. If
+ * this value is not provided and SSL is enabled, the default {@link TrustManager} will be used.
*/
public String trustStore;
/**
- * JSSE truststore password. Similar to setting JSSE property
- * {@code javax.net.ssl.trustStorePassword}.
+ * The password of the {@link #trustStore}, or {@code null} if it's not password-protected.
*/
public String trustStorePassword;
/**
- * JSSE keystore format. Similar to setting JSSE property
- * {@code javax.net.ssl.keyStoreType}.
+ * The format of the {@link keyStore}, either {@code JKS} or {@code PKCS12}
*/
public String keyStoreType;
/**
- * @see <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols">JSSE Protocols</a>
+ * A list of SSL protocols to enable. @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols">JSSE
+ * Protocols</a>
*/
public List<String> sslEnabledProtocols = new ArrayList<>();
/**
- * @see <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">Cipher Suites</a>
+ * A list of cipher suites to enable. @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">Cipher
+ * Suites</a>
*/
public List<String> sslCipherSuites = new ArrayList<>();
[8/9] tinkerpop git commit: merge TINKERPOP-2023
Posted by rd...@apache.org.
merge TINKERPOP-2023
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/e937a3a5
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/e937a3a5
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/e937a3a5
Branch: refs/heads/tp33
Commit: e937a3a50a45d23dac114529c5062391f940fbcd
Parents: 3afc576 b77c0c7
Author: Robert Dale <ro...@gmail.com>
Authored: Tue Sep 4 07:26:23 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Tue Sep 4 07:26:23 2018 -0400
----------------------------------------------------------------------
CHANGELOG.asciidoc | 1 +
.../src/reference/gremlin-applications.asciidoc | 82 +++++--
.../upgrade/release-3.2.x-incubating.asciidoc | 26 +++
gremlin-console/conf/remote-secure.yaml | 5 +-
.../tinkerpop/gremlin/driver/Cluster.java | 180 ++++++++++++++-
.../tinkerpop/gremlin/driver/Settings.java | 83 +++++++
.../tinkerpop/gremlin/driver/SettingsTest.java | 17 ++
.../conf/gremlin-server-rest-secure.yaml | 7 +-
gremlin-server/conf/gremlin-server-secure.yaml | 7 +-
.../gremlin/server/AbstractChannelizer.java | 90 ++++++--
.../tinkerpop/gremlin/server/Settings.java | 66 +++++-
.../AbstractGremlinServerIntegrationTest.java | 13 ++
.../server/GremlinServerAuthIntegrateTest.java | 4 +-
.../GremlinServerAuthOldIntegrateTest.java | 4 +-
.../server/GremlinServerIntegrateTest.java | 223 ++++++++++++++++---
...ctGremlinServerChannelizerIntegrateTest.java | 12 +-
.../src/test/resources/client-key.jks | Bin 0 -> 2241 bytes
.../src/test/resources/client-key.p12 | Bin 0 -> 2583 bytes
.../src/test/resources/client-trust.jks | Bin 0 -> 969 bytes
.../src/test/resources/client-trust.p12 | Bin 0 -> 1202 bytes
.../src/test/resources/server-key.jks | Bin 0 -> 2258 bytes
.../src/test/resources/server-key.p12 | Bin 0 -> 2613 bytes
.../src/test/resources/server-trust.jks | Bin 0 -> 952 bytes
.../src/test/resources/server-trust.p12 | Bin 0 -> 1186 bytes
24 files changed, 723 insertions(+), 97 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e937a3a5/CHANGELOG.asciidoc
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e937a3a5/docs/src/upgrade/release-3.2.x-incubating.asciidoc
----------------------------------------------------------------------
diff --cc docs/src/upgrade/release-3.2.x-incubating.asciidoc
index c7ae1e2,ec973de..5cc52c8
--- a/docs/src/upgrade/release-3.2.x-incubating.asciidoc
+++ b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
@@@ -29,13 -29,32 +29,39 @@@ Please see the link:https://github.com/
=== Upgrading for Users
+==== SASL in Gremlin.Net
+
+The Gremlin Javascript Driver now supports SASL Plain Text authentication against a Gremlin Server.
+
+See: link:https://issues.apache.org/jira/browse/TINKERPOP-1977[TINKERPOP-1977],
+link:http://tinkerpop.apache.org/docs/3.2.10/reference#gremlin-javascript[Reference Documentation - Gremlin Javascript]
+
+ ==== SSL Security
+
+ TinkerPop improves its security posture by removing insecure defaults and adding forward-looking standards support.
+
+ Gremlin Server no longer supports automatically creating self-signed certificates.
+ Self-signed certificates can still be created manually outside of Gremlin Server.
+ If ssl is enabled, a key store must be configured.
+
+ Cluster client no longer trusts all certs by default as this is an insecure configuration.
+ Instead, if no trust store is configured, Cluster will use the default CA certs.
+ To revert to the previous behavior and accept all certs, it must be explicitly configured.
+
+ This release introduces JKS and PKCS12 support. JKS is the legacy Java Key Store. PKCS12 has better cross-platform support and is gaining in adoption.
+ Be aware that JKS is the default on Java 8. Java 9 and higher use PKCS12 as the default. Both Java keytool and OpenSSL tools can create, read, update PKCS12 files.
+
+ Other new features include specifying SSL protocols and cipher suites.
+ The packaged `*-secure.yaml` files now restrict the protocol to `TLSv1.2` by default.
+
+ PEM-based configurations are deprecated and may be removed in a future release.
+
+ See also http://tinkerpop.apache.org/docs/current/reference/#_configuration[Connecting via Java Configuration],
+ http://tinkerpop.apache.org/docs/current/reference/#_configuring_2[Gremlin Server Configuration].
+
+ link:https://issues.apache.org/jira/browse/TINKERPOP-2022[TINKERPOP-2022]
+ link:https://issues.apache.org/jira/browse/TINKERPOP-2023[TINKERPOP-2023]
+
==== Bulk Import and Export
TinkerPop has provided some general methods for importing and exporting data, but more and more graph providers are
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e937a3a5/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
----------------------------------------------------------------------
[5/9] tinkerpop git commit: TINKERPOP-2023 new SSL client,
server parameters
Posted by rd...@apache.org.
TINKERPOP-2023 new SSL client, server parameters
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/e3b4ae5d
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/e3b4ae5d
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/e3b4ae5d
Branch: refs/heads/tp33
Commit: e3b4ae5d848d641d6dbdbfa940acab470c64fabb
Parents: 5f770b1
Author: Robert Dale <ro...@gmail.com>
Authored: Sat Aug 11 21:12:50 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400
----------------------------------------------------------------------
gremlin-console/conf/remote-secure.yaml | 5 +-
.../tinkerpop/gremlin/driver/Cluster.java | 172 ++++++++++++++++++-
.../tinkerpop/gremlin/driver/Settings.java | 57 ++++++
.../conf/gremlin-server-rest-secure.yaml | 6 +-
gremlin-server/conf/gremlin-server-secure.yaml | 6 +-
.../gremlin/server/AbstractChannelizer.java | 78 +++++++--
.../tinkerpop/gremlin/server/Settings.java | 64 ++++++-
.../AbstractGremlinServerIntegrationTest.java | 7 +
.../server/GremlinServerAuthIntegrateTest.java | 4 +-
.../GremlinServerAuthOldIntegrateTest.java | 4 +-
.../server/GremlinServerIntegrateTest.java | 41 ++---
...ctGremlinServerChannelizerIntegrateTest.java | 10 +-
gremlin-server/src/test/resources/server.jks | Bin 0 -> 2258 bytes
gremlin-server/src/test/resources/server.p12 | Bin 0 -> 2613 bytes
14 files changed, 396 insertions(+), 58 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-console/conf/remote-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-console/conf/remote-secure.yaml b/gremlin-console/conf/remote-secure.yaml
index 4f8d22b..c7a2c44 100644
--- a/gremlin-console/conf/remote-secure.yaml
+++ b/gremlin-console/conf/remote-secure.yaml
@@ -29,5 +29,6 @@ port: 8182
username: stephen
password: password
connectionPool: {
- enableSsl: true}
-serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}
\ No newline at end of file
+ enableSsl: true,
+ sslSkipCertValidation: true }
+serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
index 567bfb4..6e4ef25 100644
--- a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
+++ b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
@@ -33,15 +33,25 @@ import org.apache.commons.lang3.concurrent.BasicThreadFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
import java.lang.ref.WeakReference;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.UnknownHostException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -172,6 +182,14 @@ public final class Cluster {
.keyCertChainFile(settings.connectionPool.keyCertChainFile)
.keyFile(settings.connectionPool.keyFile)
.keyPassword(settings.connectionPool.keyPassword)
+ .keyStore(settings.connectionPool.keyStore)
+ .keyStorePassword(settings.connectionPool.keyStorePassword)
+ .keyStoreType(settings.connectionPool.keyStoreType)
+ .trustStore(settings.connectionPool.trustStore)
+ .trustStorePassword(settings.connectionPool.trustStorePassword)
+ .sslCipherSuites(settings.connectionPool.sslCipherSuites)
+ .sslEnabledProtocols(settings.connectionPool.sslEnabledProtocols)
+ .sslSkipCertValidation(settings.connectionPool.sslSkipCertValidation)
.nioPoolSize(settings.nioPoolSize)
.workerPoolSize(settings.workerPoolSize)
.reconnectInterval(settings.connectionPool.reconnectInterval)
@@ -446,29 +464,81 @@ public final class Cluster {
return manager.authProps;
}
- SslContext createSSLContext() throws Exception {
+ SslContext createSSLContext() throws Exception {
// if the context is provided then just use that and ignore the other settings
- if (manager.sslContextOptional.isPresent()) return manager.sslContextOptional.get();
+ if (manager.sslContextOptional.isPresent())
+ return manager.sslContextOptional.get();
final SslProvider provider = SslProvider.JDK;
final Settings.ConnectionPoolSettings connectionPoolSettings = connectionPoolSettings();
final SslContextBuilder builder = SslContextBuilder.forClient();
- if (connectionPoolSettings.trustCertChainFile != null)
+ if (connectionPoolSettings.trustCertChainFile != null) {
+ logger.warn("Using deprecated SSL trustCertChainFile support");
builder.trustManager(new File(connectionPoolSettings.trustCertChainFile));
- else {
- logger.warn("SSL configured without a trustCertChainFile and thus trusts all certificates without verification (not suitable for production)");
- builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
}
if (null != connectionPoolSettings.keyCertChainFile && null != connectionPoolSettings.keyFile) {
+ logger.warn("Using deprecated SSL keyFile support");
final File keyCertChainFile = new File(connectionPoolSettings.keyCertChainFile);
final File keyFile = new File(connectionPoolSettings.keyFile);
- // note that keyPassword may be null here if the keyFile is not password-protected.
+ // note that keyPassword may be null here if the keyFile is not
+ // password-protected.
builder.keyManager(keyCertChainFile, keyFile, connectionPoolSettings.keyPassword);
}
+ // Build JSSE SSLContext
+ try {
+
+ // Load private key/public cert for client auth
+ if (null != connectionPoolSettings.keyStore) {
+ final String keyStoreType = null == connectionPoolSettings.keyStoreType ? KeyStore.getDefaultType()
+ : connectionPoolSettings.keyStoreType;
+ final KeyStore keystore = KeyStore.getInstance(keyStoreType);
+ final char[] password = null == connectionPoolSettings.keyStorePassword ? null
+ : connectionPoolSettings.keyStorePassword.toCharArray();
+ try (final InputStream in = new FileInputStream(connectionPoolSettings.keyStore)) {
+ keystore.load(in, password);
+ }
+ final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ kmf.init(keystore, password);
+ builder.keyManager(kmf);
+ }
+
+ // Load custom truststore
+ if (null != connectionPoolSettings.trustStore) {
+ final String keystoreType = null == connectionPoolSettings.keyStoreType ? KeyStore.getDefaultType()
+ : connectionPoolSettings.keyStoreType;
+ final KeyStore truststore = KeyStore.getInstance(keystoreType);
+ final char[] password = null == connectionPoolSettings.trustStorePassword ? null
+ : connectionPoolSettings.trustStorePassword.toCharArray();
+ try (final InputStream in = new FileInputStream(connectionPoolSettings.trustStore)) {
+ truststore.load(in, password);
+ }
+ final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(truststore);
+ builder.trustManager(tmf);
+ }
+
+ } catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
+ logger.error("There was an error enabling SSL.", e);
+ return null;
+ }
+
+ if (null != connectionPoolSettings.sslCipherSuites && !connectionPoolSettings.sslCipherSuites.isEmpty()) {
+ builder.ciphers(connectionPoolSettings.sslCipherSuites);
+ }
+
+ if (null != connectionPoolSettings.sslEnabledProtocols && !connectionPoolSettings.sslEnabledProtocols.isEmpty()) {
+ builder.protocols(connectionPoolSettings.sslEnabledProtocols.toArray(new String[] {}));
+ }
+
+ if (connectionPoolSettings.sslSkipCertValidation) {
+ logger.warn("SSL configured with sslSkipCertValidation thus trusts all certificates without verification (not suitable for production)");
+ builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+ }
+
builder.sslProvider(provider);
return builder.build();
@@ -499,6 +569,14 @@ public final class Cluster {
private String keyCertChainFile = null;
private String keyFile = null;
private String keyPassword = null;
+ private String keyStore;
+ private String keyStorePassword;
+ private String trustStore;
+ private String trustStorePassword;
+ private String keyStoreType;
+ private List<String> sslEnabledProtocols = new ArrayList<>();
+ private List<String> sslCipherSuites = new ArrayList<>();
+ private boolean sslSkipCertValidation = false;
private SslContext sslContext = null;
private LoadBalancingStrategy loadBalancingStrategy = new LoadBalancingStrategy.RoundRobin();
private AuthProperties authProps = new AuthProperties();
@@ -579,7 +657,9 @@ public final class Cluster {
* File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and
* SSL is enabled, the {@link TrustManager} will be established with a self-signed certificate which is NOT
* suitable for production purposes.
+ * @deprecated
*/
+ @Deprecated
public Builder trustCertificateChainFile(final String certificateChainFile) {
this.trustCertChainFile = certificateChainFile;
return this;
@@ -597,7 +677,9 @@ public final class Cluster {
/**
* The X.509 certificate chain file in PEM format.
+ * @deprecated
*/
+ @Deprecated
public Builder keyCertChainFile(final String keyCertChainFile) {
this.keyCertChainFile = keyCertChainFile;
return this;
@@ -605,7 +687,9 @@ public final class Cluster {
/**
* The PKCS#8 private key file in PEM format.
+ * @deprecated
*/
+ @Deprecated
public Builder keyFile(final String keyFile) {
this.keyFile = keyFile;
return this;
@@ -613,11 +697,77 @@ public final class Cluster {
/**
* The password of the {@link #keyFile}, or {@code null} if it's not password-protected.
+ * @deprecated
*/
+ @Deprecated
public Builder keyPassword(final String keyPassword) {
this.keyPassword = keyPassword;
return this;
}
+
+ /**
+ *
+ */
+ public Builder keyStore(final String keyStore) {
+ this.keyStore = keyStore;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder keyStorePassword(final String keyStorePassword) {
+ this.keyStorePassword = keyStorePassword;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder trustStore(final String trustStore) {
+ this.trustStore = trustStore;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder trustStorePassword(final String trustStorePassword) {
+ this.trustStorePassword = trustStorePassword;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder keyStoreType(final String keyStoreType) {
+ this.keyStoreType = keyStoreType;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder sslEnabledProtocols(final List<String> sslEnabledProtocols) {
+ this.sslEnabledProtocols = sslEnabledProtocols;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder sslCipherSuites(final List<String> sslCipherSuites) {
+ this.sslCipherSuites = sslCipherSuites;
+ return this;
+ }
+
+ /**
+ *
+ */
+ public Builder sslSkipCertValidation(final boolean sslSkipCertValidation) {
+ this.sslSkipCertValidation = sslSkipCertValidation;
+ return this;
+ }
/**
* The minimum number of in-flight requests that can occur on a {@link Connection} before it is considered
@@ -901,6 +1051,14 @@ public final class Cluster {
connectionPoolSettings.keyCertChainFile = builder.keyCertChainFile;
connectionPoolSettings.keyFile = builder.keyFile;
connectionPoolSettings.keyPassword = builder.keyPassword;
+ connectionPoolSettings.keyStore = builder.keyStore;
+ connectionPoolSettings.keyStorePassword = builder.keyStorePassword;
+ connectionPoolSettings.trustStore = builder.trustStore;
+ connectionPoolSettings.trustStorePassword = builder.trustStorePassword;
+ connectionPoolSettings.keyStoreType = builder.keyStoreType;
+ connectionPoolSettings.sslCipherSuites = builder.sslCipherSuites;
+ connectionPoolSettings.sslEnabledProtocols = builder.sslEnabledProtocols;
+ connectionPoolSettings.sslSkipCertValidation = builder.sslSkipCertValidation;
connectionPoolSettings.keepAliveInterval = builder.keepAliveInterval;
connectionPoolSettings.channelizer = builder.channelizer;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
index 8a2517d..009a0bf 100644
--- a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
+++ b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
@@ -232,25 +232,82 @@ final class Settings {
/**
* The trusted certificate in PEM format.
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String trustCertChainFile = null;
/**
* The X.509 certificate chain file in PEM format.
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyCertChainFile = null;
/**
* The PKCS#8 private key file in PEM format.
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyFile = null;
/**
* The password of the {@link #keyFile}, or {@code null} if it's not password-protected.
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyPassword = null;
/**
+ * JSSE keystore file path. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStore}.
+ */
+ public String keyStore;
+
+ /**
+ * JSSE keystore password. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStorePassword}.
+ */
+ public String keyStorePassword;
+
+ /**
+ * JSSE truststore file path. Similar to setting JSSE property
+ * {@code javax.net.ssl.trustStore}.
+ */
+ public String trustStore;
+
+ /**
+ * JSSE truststore password. Similar to setting JSSE property
+ * {@code javax.net.ssl.trustStorePassword}.
+ */
+ public String trustStorePassword;
+
+ /**
+ * JSSE keystore format. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStoreType}.
+ */
+ public String keyStoreType;
+
+ /**
+ * @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols">JSSE
+ * Protocols</a>
+ */
+ public List<String> sslEnabledProtocols = new ArrayList<>();
+
+ /**
+ * @see <a href=
+ * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">Cipher
+ * Suites</a>
+ */
+ public List<String> sslCipherSuites = new ArrayList<>();
+
+ /**
+ *
+ */
+ public boolean sslSkipCertValidation = false;
+
+ /**
* The minimum size of a connection pool for a {@link Host}. By default this is set to 2.
*/
public int minSize = ConnectionPool.MIN_POOL_SIZE;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/conf/gremlin-server-rest-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-rest-secure.yaml b/gremlin-server/conf/gremlin-server-rest-secure.yaml
index ab21b33..fcfbba1 100644
--- a/gremlin-server/conf/gremlin-server-rest-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-rest-secure.yaml
@@ -69,4 +69,8 @@ authentication: {
config: {
credentialsDb: conf/tinkergraph-credentials.properties}}
ssl: {
- enabled: true}
+ enabled: true,
+ # You must configure a keyStore!
+ #keyStore: server.jks,
+ #keyStorePassword: changeit
+}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/conf/gremlin-server-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-secure.yaml b/gremlin-server/conf/gremlin-server-secure.yaml
index 42a7785..af46c59 100644
--- a/gremlin-server/conf/gremlin-server-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-secure.yaml
@@ -73,4 +73,8 @@ authentication: {
config: {
credentialsDb: conf/tinkergraph-credentials.properties}}
ssl: {
- enabled: true}
+ enabled: true,
+ # You must configure a keyStore!
+ #keyStore: server.jks,
+ #keyStorePassword: changeit
+}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
index edea752..2a29fec 100644
--- a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
+++ b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
@@ -22,7 +22,6 @@ import io.netty.channel.EventLoopGroup;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
-import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.handler.timeout.IdleStateHandler;
import org.apache.tinkerpop.gremlin.driver.MessageSerializer;
import org.apache.tinkerpop.gremlin.driver.ser.AbstractGryoMessageSerializerV1d0;
@@ -43,8 +42,18 @@ import org.javatuples.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManagerFactory;
+
import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collections;
@@ -258,7 +267,7 @@ public abstract class AbstractChannelizer extends ChannelInitializer<SocketChann
}
}
- private SslContext createSSLContext(final Settings settings) {
+ private SslContext createSSLContext(final Settings settings) {
final Settings.SslSettings sslSettings = settings.ssl;
if (sslSettings.getSslContext().isPresent()) {
@@ -270,25 +279,62 @@ public abstract class AbstractChannelizer extends ChannelInitializer<SocketChann
final SslContextBuilder builder;
- // if the config doesn't contain a cert or key then use a self signed cert - not suitable for production
- if (null == sslSettings.keyCertChainFile || null == sslSettings.keyFile) {
- try {
- logger.warn("Enabling SSL with self-signed certificate (NOT SUITABLE FOR PRODUCTION)");
- final SelfSignedCertificate ssc = new SelfSignedCertificate();
- builder = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey());
- } catch (CertificateException ce) {
- logger.error("There was an error creating the self-signed certificate for SSL - SSL is not enabled", ce);
- return null;
- }
- } else {
+ // DEPRECATED: If the config has the required, deprecated settings, then use it
+ if (null != sslSettings.keyCertChainFile && null != sslSettings.keyFile) {
+ logger.warn("Using deprecated SSL keyFile support");
final File keyCertChainFile = new File(sslSettings.keyCertChainFile);
final File keyFile = new File(sslSettings.keyFile);
final File trustCertChainFile = null == sslSettings.trustCertChainFile ? null : new File(sslSettings.trustCertChainFile);
- // note that keyPassword may be null here if the keyFile is not password-protected. passing null to
+ // note that keyPassword may be null here if the keyFile is not
+ // password-protected. passing null to
// trustManager is also ok (default will be used)
- builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, sslSettings.keyPassword)
- .trustManager(trustCertChainFile);
+ builder = SslContextBuilder.forServer(keyCertChainFile, keyFile, sslSettings.keyPassword).trustManager(trustCertChainFile);
+ } else {
+
+ // Build JSSE SSLContext
+ try {
+ final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+
+ // Load private key and signed cert
+ if (null != sslSettings.keyStore) {
+ final String keyStoreType = null == sslSettings.keyStoreType ? KeyStore.getDefaultType() : sslSettings.keyStoreType;
+ final KeyStore keystore = KeyStore.getInstance(keyStoreType);
+ final char[] password = null == sslSettings.keyStorePassword ? null : sslSettings.keyStorePassword.toCharArray();
+ try (final InputStream in = new FileInputStream(sslSettings.keyStore)) {
+ keystore.load(in, password);
+ }
+ kmf.init(keystore, password);
+ }
+
+ builder = SslContextBuilder.forServer(kmf);
+
+ // Load custom truststore for client auth certs
+ if (null != sslSettings.trustStore) {
+ final String keystoreType = null == sslSettings.keyStoreType ? KeyStore.getDefaultType() : sslSettings.keyStoreType;
+ final KeyStore truststore = KeyStore.getInstance(keystoreType);
+ final char[] password = null == sslSettings.trustStorePassword ? null : sslSettings.trustStorePassword.toCharArray();
+ try (final InputStream in = new FileInputStream(sslSettings.trustStore)) {
+ truststore.load(in, password);
+ }
+ final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(truststore);
+ builder.trustManager(tmf);
+ }
+
+ } catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
+ logger.error("There was an error enabling SSL.", e);
+ return null;
+ }
+
+ }
+
+ if (null != sslSettings.sslCipherSuites && !sslSettings.sslCipherSuites.isEmpty()) {
+ builder.ciphers(sslSettings.sslCipherSuites);
+ }
+
+ if (null != sslSettings.sslEnabledProtocols && !sslSettings.sslEnabledProtocols.isEmpty()) {
+ builder.protocols(sslSettings.sslEnabledProtocols.toArray(new String[] {}));
}
builder.clientAuth(sslSettings.needClientAuth).sslProvider(provider);
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
index 74a5a1a..c918f8b 100644
--- a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
+++ b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
@@ -450,34 +450,86 @@ public class Settings {
*/
public static class SslSettings {
/**
- * Enables SSL. Other settings will be ignored unless this is set to true. By default a self-signed
- * certificate is used (not suitable for production) for SSL. To override this setting, be sure to set
- * the {@link #keyCertChainFile} and the {@link #keyFile}.
+ * Enables SSL. Other SSL settings will be ignored unless this is set to true.
*/
public boolean enabled = false;
/**
* The X.509 certificate chain file in PEM format.
+ *
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyCertChainFile = null;
/**
* The PKCS#8 private key file in PEM format.
+ *
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyFile = null;
/**
- * The password of the {@link #keyFile}, or {@code null} if it's not password-protected.
+ * The password of the {@link #keyFile}, or {@code null} if it's not
+ * password-protected.
+ *
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String keyPassword = null;
/**
- * Trusted certificates for verifying the remote endpoint's certificate. The file should
- * contain an X.509 certificate chain in PEM format. {@code null} uses the system default.
+ * Trusted certificates for verifying the remote endpoint's certificate. The
+ * file should contain an X.509 certificate chain in PEM format. {@code null}
+ * uses the system default.
+ *
+ * @deprecated Use JSSE-based settings
*/
+ @Deprecated
public String trustCertChainFile = null;
/**
+ * JSSE keystore file path. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStore}.
+ */
+ public String keyStore;
+
+ /**
+ * JSSE keystore password. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStorePassword}.
+ */
+ public String keyStorePassword;
+
+ /**
+ * JSSE truststore file path. Similar to setting JSSE property
+ * {@code javax.net.ssl.trustStore}.
+ */
+ public String trustStore;
+
+ /**
+ * JSSE truststore password. Similar to setting JSSE property
+ * {@code javax.net.ssl.trustStorePassword}.
+ */
+ public String trustStorePassword;
+
+ /**
+ * JSSE keystore format. Similar to setting JSSE property
+ * {@code javax.net.ssl.keyStoreType}.
+ */
+ public String keyStoreType;
+
+ /**
+ * @see <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols">JSSE Protocols</a>
+ */
+ public List<String> sslEnabledProtocols = new ArrayList<>();
+
+ /**
+ * @see <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites">Cipher Suites</a>
+ */
+ public List<String> sslCipherSuites = new ArrayList<>();
+
+ /**
* Require client certificate authentication
*/
public ClientAuth needClientAuth = ClientAuth.NONE;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
index f11a045..0543a59 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
@@ -38,6 +38,13 @@ import static org.junit.Assume.assumeThat;
* @author Stephen Mallette (http://stephen.genoprime.com)
*/
public abstract class AbstractGremlinServerIntegrationTest {
+
+ public static final String KEY_PASS = "changeit";
+ public static final String JKS_SERVER_KEY = "src/test/resources/server.jks";
+ public static final String JKS_CLIENT_KEY = "src/test/resources/client.jks";
+ public static final String P12_SERVER_KEY = "src/test/resources/server.p12";
+ public static final String P12_CLIENT_KEY = "src/test/resources/client.p12";
+
protected GremlinServer server;
private Settings overriddenSettings;
private final static String epollOption = "gremlin.server.epoll";
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java
index e06bbb7..b4d979a 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java
@@ -66,6 +66,8 @@ public class GremlinServerAuthIntegrateTest extends AbstractGremlinServerIntegra
case "shouldFailIfSslEnabledOnServerButNotClient":
final Settings.SslSettings sslConfig = new Settings.SslSettings();
sslConfig.enabled = true;
+ sslConfig.keyStore = JKS_SERVER_KEY;
+ sslConfig.keyStorePassword = KEY_PASS;
settings.ssl = sslConfig;
break;
}
@@ -107,7 +109,7 @@ public class GremlinServerAuthIntegrateTest extends AbstractGremlinServerIntegra
@Test
public void shouldAuthenticateOverSslWithPlainText() throws Exception {
final Cluster cluster = TestClientFactory.build()
- .enableSsl(true)
+ .enableSsl(true).sslSkipCertValidation(true)
.credentials("stephen", "password").create();
final Client client = cluster.connect();
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthOldIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthOldIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthOldIntegrateTest.java
index b26dd1e..10755f1 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthOldIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthOldIntegrateTest.java
@@ -69,6 +69,8 @@ public class GremlinServerAuthOldIntegrateTest extends AbstractGremlinServerInte
case "shouldFailIfSslEnabledOnServerButNotClient":
final Settings.SslSettings sslConfig = new Settings.SslSettings();
sslConfig.enabled = true;
+ sslConfig.keyStore = JKS_SERVER_KEY;
+ sslConfig.keyStorePassword = KEY_PASS;
settings.ssl = sslConfig;
break;
}
@@ -110,7 +112,7 @@ public class GremlinServerAuthOldIntegrateTest extends AbstractGremlinServerInte
@Test
public void shouldAuthenticateOverSslWithPlainText() throws Exception {
final Cluster cluster = TestClientFactory.build()
- .enableSsl(true)
+ .enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS).sslSkipCertValidation(true)
.credentials("stephen", "password").create();
final Client client = cluster.connect();
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
index eb5def9..238d2b2 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
@@ -110,11 +110,10 @@ import static org.junit.Assert.assertEquals;
*/
public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegrationTest {
- private static final String SERVER_KEY = "src/test/resources/server.key.pk8";
- private static final String SERVER_CRT = "src/test/resources/server.crt";
- private static final String KEY_PASS = "changeit";
- private static final String CLIENT_KEY = "src/test/resources/client.key.pk8";
- private static final String CLIENT_CRT = "src/test/resources/client.crt";
+ private static final String PEM_SERVER_KEY = "src/test/resources/server.key.pk8";
+ private static final String PEM_SERVER_CRT = "src/test/resources/server.crt";
+ private static final String PEM_CLIENT_KEY = "src/test/resources/client.key.pk8";
+ private static final String PEM_CLIENT_CRT = "src/test/resources/client.crt";
private Level previousLogLevel;
private Log4jRecordingAppender recordingAppender = null;
@@ -194,6 +193,8 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
case "shouldEnableSslButFailIfClientConnectsWithoutIt":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
break;
case "shouldEnableSslWithSslContextProgrammaticallySpecified":
settings.ssl = new Settings.SslSettings();
@@ -204,31 +205,31 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
- settings.ssl.keyCertChainFile = SERVER_CRT;
- settings.ssl.keyFile = SERVER_KEY;
+ settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
+ settings.ssl.keyFile = PEM_SERVER_KEY;
settings.ssl.keyPassword =KEY_PASS;
// Trust the client
- settings.ssl.trustCertChainFile = CLIENT_CRT;
+ settings.ssl.trustCertChainFile = PEM_CLIENT_CRT;
break;
case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCert":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
- settings.ssl.keyCertChainFile = SERVER_CRT;
- settings.ssl.keyFile = SERVER_KEY;
+ settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
+ settings.ssl.keyFile = PEM_SERVER_KEY;
settings.ssl.keyPassword =KEY_PASS;
// Trust the client
- settings.ssl.trustCertChainFile = CLIENT_CRT;
+ settings.ssl.trustCertChainFile = PEM_CLIENT_CRT;
break;
case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
- settings.ssl.keyCertChainFile = SERVER_CRT;
- settings.ssl.keyFile = SERVER_KEY;
+ settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
+ settings.ssl.keyFile = PEM_SERVER_KEY;
settings.ssl.keyPassword =KEY_PASS;
// Trust ONLY the server cert
- settings.ssl.trustCertChainFile = SERVER_CRT;
+ settings.ssl.trustCertChainFile = PEM_SERVER_CRT;
break;
case "shouldUseSimpleSandbox":
settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForSimpleSandbox();
@@ -485,7 +486,7 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
@Test
public void shouldEnableSsl() {
- final Cluster cluster = TestClientFactory.build().enableSsl(true).create();
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS).sslSkipCertValidation(true).create();
final Client client = cluster.connect();
try {
@@ -533,8 +534,8 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
@Test
public void shouldEnableSslAndClientCertificateAuth() {
final Cluster cluster = TestClientFactory.build().enableSsl(true)
- .keyCertChainFile(CLIENT_CRT).keyFile(CLIENT_KEY)
- .keyPassword(KEY_PASS).trustCertificateChainFile(SERVER_CRT).create();
+ .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
+ .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
final Client client = cluster.connect();
try {
@@ -546,7 +547,7 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
@Test
public void shouldEnableSslAndClientCertificateAuthAndFailWithoutCert() {
- final Cluster cluster = TestClientFactory.build().enableSsl(true).create();
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS).sslSkipCertValidation(true).create();
final Client client = cluster.connect();
try {
@@ -563,8 +564,8 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
@Test
public void shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert() {
final Cluster cluster = TestClientFactory.build().enableSsl(true)
- .keyCertChainFile(CLIENT_CRT).keyFile(CLIENT_KEY)
- .keyPassword(KEY_PASS).trustCertificateChainFile(SERVER_CRT).create();
+ .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
+ .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
final Client client = cluster.connect();
try {
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
index 738ca89..300a7f4 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
@@ -100,6 +100,8 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
case "shouldWorkWithSSL":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
break;
case "shouldWorkWithAuth":
if (authSettings != null) {
@@ -109,6 +111,8 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
case "shouldWorkWithSSLAndAuth":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
if (authSettings != null) {
settings.authentication = getAuthSettings();
}
@@ -304,7 +308,7 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
.with(Property.USERNAME, username)
.with(Property.PASSWORD, password);
- nioCluster = nioBuilder.enableSsl(secure).authProperties(authProps).create();
+ nioCluster = nioBuilder.enableSsl(secure).sslSkipCertValidation(true).authProperties(authProps).create();
nioClient = nioCluster.connect();
} else {
nioCluster = nioBuilder.enableSsl(secure).create();
@@ -318,10 +322,10 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
.with(Property.USERNAME, username)
.with(Property.PASSWORD, password);
- wsCluster = wsBuilder.enableSsl(secure).authProperties(authProps).create();
+ wsCluster = wsBuilder.enableSsl(secure).sslSkipCertValidation(true).authProperties(authProps).create();
wsClient = wsCluster.connect();
} else {
- wsCluster = wsBuilder.enableSsl(secure).create();
+ wsCluster = wsBuilder.enableSsl(secure).sslSkipCertValidation(true).create();
wsClient = wsCluster.connect();
}
}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server.jks b/gremlin-server/src/test/resources/server.jks
new file mode 100644
index 0000000..85dbe67
Binary files /dev/null and b/gremlin-server/src/test/resources/server.jks differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e3b4ae5d/gremlin-server/src/test/resources/server.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server.p12 b/gremlin-server/src/test/resources/server.p12
new file mode 100644
index 0000000..4d1aad7
Binary files /dev/null and b/gremlin-server/src/test/resources/server.p12 differ
[2/9] tinkerpop git commit: TINKERPOP-2023 added tests and some fixes
Posted by rd...@apache.org.
TINKERPOP-2023 added tests and some fixes
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/d05e3c56
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/d05e3c56
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/d05e3c56
Branch: refs/heads/tp33
Commit: d05e3c566b580f5aee020234e17b69df3f708b7a
Parents: 5d893cf
Author: Robert Dale <ro...@gmail.com>
Authored: Mon Aug 13 15:28:40 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400
----------------------------------------------------------------------
.../src/reference/gremlin-applications.asciidoc | 2 +-
.../tinkerpop/gremlin/driver/Settings.java | 28 ++-
.../tinkerpop/gremlin/driver/SettingsTest.java | 17 ++
.../AbstractGremlinServerIntegrationTest.java | 14 +-
.../server/GremlinServerIntegrateTest.java | 192 +++++++++++++++++--
...ctGremlinServerChannelizerIntegrateTest.java | 2 +
.../src/test/resources/client-key.jks | Bin 0 -> 2241 bytes
.../src/test/resources/client-key.p12 | Bin 0 -> 2583 bytes
.../src/test/resources/client-trust.jks | Bin 0 -> 969 bytes
.../src/test/resources/client-trust.p12 | Bin 0 -> 1202 bytes
.../src/test/resources/server-key.jks | Bin 0 -> 2258 bytes
.../src/test/resources/server-key.p12 | Bin 0 -> 2613 bytes
.../src/test/resources/server-trust.jks | Bin 0 -> 952 bytes
.../src/test/resources/server-trust.p12 | Bin 0 -> 1186 bytes
gremlin-server/src/test/resources/server.jks | Bin 2258 -> 0 bytes
gremlin-server/src/test/resources/server.p12 | Bin 2613 -> 0 bytes
16 files changed, 228 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc
index 1f64f46..8ad8a0a 100644
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@ -735,7 +735,7 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
|connectionPool.keyStore |The private key in JKS or PKCS#12 format. |_none_
|connectionPool.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
-|connectionPool.keyStoreType |JKS (Java 8 default) or PKCS#12 (Java 9+ default)|_none_
+|connectionPool.keyStoreType |`JKS` (Java 8 default) or `PKCS12` (Java 9+ default)|_none_
|connectionPool.maxContentLength |The maximum length in bytes that a message can be sent to the server. This number can be no greater than the setting of the same name in the server configuration. |65536
|connectionPool.maxInProcessPerConnection |The maximum number of in-flight requests that can occur on a connection. |4
|connectionPool.maxSimultaneousUsagePerConnection |The maximum number of times that a connection can be borrowed from the pool simultaneously. |16
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
index 009a0bf..4d54792 100644
--- a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
+++ b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
@@ -181,6 +181,32 @@ final class Settings {
if (connectionPoolConf.containsKey("trustCertChainFile"))
cpSettings.trustCertChainFile = connectionPoolConf.getString("trustCertChainFile");
+ if (connectionPoolConf.containsKey("keyStore"))
+ cpSettings.keyStore = connectionPoolConf.getString("keyStore");
+
+ if (connectionPoolConf.containsKey("keyStorePassword"))
+ cpSettings.keyStorePassword = connectionPoolConf.getString("keyStorePassword");
+
+ if (connectionPoolConf.containsKey("keyStoreType"))
+ cpSettings.keyStoreType = connectionPoolConf.getString("keyStoreType");
+
+ if (connectionPoolConf.containsKey("trustStore"))
+ cpSettings.trustStore = connectionPoolConf.getString("trustStore");
+
+ if (connectionPoolConf.containsKey("trustStorePassword"))
+ cpSettings.trustStorePassword = connectionPoolConf.getString("trustStorePassword");
+
+ if (connectionPoolConf.containsKey("sslEnabledProtocols"))
+ cpSettings.sslEnabledProtocols = connectionPoolConf.getList("sslEnabledProtocols").stream().map(Object::toString)
+ .collect(Collectors.toList());
+
+ if (connectionPoolConf.containsKey("sslCipherSuites"))
+ cpSettings.sslCipherSuites = connectionPoolConf.getList("sslCipherSuites").stream().map(Object::toString)
+ .collect(Collectors.toList());
+
+ if (connectionPoolConf.containsKey("sslSkipCertValidation"))
+ cpSettings.sslSkipCertValidation = connectionPoolConf.getBoolean("sslSkipCertValidation");
+
if (connectionPoolConf.containsKey("minSize"))
cpSettings.minSize = connectionPoolConf.getInt("minSize");
@@ -283,7 +309,7 @@ final class Settings {
public String trustStorePassword;
/**
- * JSSE keystore format. Similar to setting JSSE property
+ * JSSE keystore format. 'jks' or 'pkcs12'. Similar to setting JSSE property
* {@code javax.net.ssl.keyStoreType}.
*/
public String keyStoreType;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java
----------------------------------------------------------------------
diff --git a/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java
index c373879..56e0ec8 100644
--- a/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java
+++ b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java
@@ -49,6 +49,14 @@ public class SettingsTest {
conf.setProperty("connectionPool.keyFile", "PKCS#8");
conf.setProperty("connectionPool.keyPassword", "password1");
conf.setProperty("connectionPool.trustCertChainFile", "pem");
+ conf.setProperty("connectionPool.keyStore", "server.jks");
+ conf.setProperty("connectionPool.keyStorePassword", "password2");
+ conf.setProperty("connectionPool.keyStoreType", "pkcs12");
+ conf.setProperty("connectionPool.trustStore", "trust.jks");
+ conf.setProperty("connectionPool.trustStorePassword", "password3");
+ conf.setProperty("connectionPool.sslEnabledProtocols", Arrays.asList("TLSv1.1","TLSv1.2"));
+ conf.setProperty("connectionPool.sslCipherSuites", Arrays.asList("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
+ conf.setProperty("connectionPool.sslSkipCertValidation", true);
conf.setProperty("connectionPool.minSize", 100);
conf.setProperty("connectionPool.maxSize", 200);
conf.setProperty("connectionPool.minSimultaneousUsagePerConnection", 300);
@@ -71,6 +79,7 @@ public class SettingsTest {
assertEquals("password1", settings.password);
assertEquals("JaasIt", settings.jaasEntry);
assertEquals("protocol0", settings.protocol);
+ assertEquals(Arrays.asList("255.0.0.1", "255.0.0.2", "255.0.0.3"), settings.hosts);
assertEquals("my.serializers.MySerializer", settings.serializer.className);
assertEquals("thing", settings.serializer.config.get("any"));
assertEquals(true, settings.connectionPool.enableSsl);
@@ -78,6 +87,14 @@ public class SettingsTest {
assertEquals("PKCS#8", settings.connectionPool.keyFile);
assertEquals("password1", settings.connectionPool.keyPassword);
assertEquals("pem", settings.connectionPool.trustCertChainFile);
+ assertEquals("server.jks", settings.connectionPool.keyStore);
+ assertEquals("password2", settings.connectionPool.keyStorePassword);
+ assertEquals("pkcs12", settings.connectionPool.keyStoreType);
+ assertEquals("trust.jks", settings.connectionPool.trustStore);
+ assertEquals("password3", settings.connectionPool.trustStorePassword);
+ assertEquals(Arrays.asList("TLSv1.1","TLSv1.2"), settings.connectionPool.sslEnabledProtocols);
+ assertEquals(Arrays.asList("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"), settings.connectionPool.sslCipherSuites);
+ assertEquals(true, settings.connectionPool.sslSkipCertValidation);
assertEquals(100, settings.connectionPool.minSize);
assertEquals(200, settings.connectionPool.maxSize);
assertEquals(300, settings.connectionPool.minSimultaneousUsagePerConnection);
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
index 0543a59..c5e3966 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/AbstractGremlinServerIntegrationTest.java
@@ -40,10 +40,16 @@ import static org.junit.Assume.assumeThat;
public abstract class AbstractGremlinServerIntegrationTest {
public static final String KEY_PASS = "changeit";
- public static final String JKS_SERVER_KEY = "src/test/resources/server.jks";
- public static final String JKS_CLIENT_KEY = "src/test/resources/client.jks";
- public static final String P12_SERVER_KEY = "src/test/resources/server.p12";
- public static final String P12_CLIENT_KEY = "src/test/resources/client.p12";
+ public static final String JKS_SERVER_KEY = "src/test/resources/server-key.jks";
+ public static final String JKS_SERVER_TRUST = "src/test/resources/server-trust.jks";
+ public static final String JKS_CLIENT_KEY = "src/test/resources/client-key.jks";
+ public static final String JKS_CLIENT_TRUST = "src/test/resources/client-trust.jks";
+ public static final String P12_SERVER_KEY = "src/test/resources/server-key.p12";
+ public static final String P12_SERVER_TRUST = "src/test/resources/server-trust.p12";
+ public static final String P12_CLIENT_KEY = "src/test/resources/client-key.p12";
+ public static final String P12_CLIENT_TRUST = "src/test/resources/client-trust.p12";
+ public static final String KEYSTORE_TYPE_JKS = "jks";
+ public static final String KEYSTORE_TYPE_PKCS12 = "pkcs12";
protected GremlinServer server;
private Settings overriddenSettings;
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
index 238d2b2..a4e9478 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
@@ -74,6 +74,7 @@ import org.junit.Test;
import java.lang.reflect.Field;
import java.nio.channels.ClosedChannelException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
@@ -195,42 +196,97 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
settings.ssl.enabled = true;
settings.ssl.keyStore = JKS_SERVER_KEY;
settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
break;
case "shouldEnableSslWithSslContextProgrammaticallySpecified":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.overrideSslContext(createServerSslContext());
break;
- case "shouldEnableSslAndClientCertificateAuth":
+ case "shouldEnableSslAndClientCertificateAuthWithLegacyPem":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
settings.ssl.keyFile = PEM_SERVER_KEY;
- settings.ssl.keyPassword =KEY_PASS;
+ settings.ssl.keyPassword = KEY_PASS;
// Trust the client
settings.ssl.trustCertChainFile = PEM_CLIENT_CRT;
- break;
- case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCert":
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCertWithLegacyPem":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
settings.ssl.keyFile = PEM_SERVER_KEY;
- settings.ssl.keyPassword =KEY_PASS;
+ settings.ssl.keyPassword = KEY_PASS;
// Trust the client
settings.ssl.trustCertChainFile = PEM_CLIENT_CRT;
- break;
- case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert":
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCertWithLegacyPem":
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
settings.ssl.keyFile = PEM_SERVER_KEY;
- settings.ssl.keyPassword =KEY_PASS;
+ settings.ssl.keyPassword = KEY_PASS;
// Trust ONLY the server cert
settings.ssl.trustCertChainFile = PEM_SERVER_CRT;
- break;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthWithPkcs12":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = P12_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_PKCS12;
+ settings.ssl.trustStore = P12_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuth":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.trustStore = JKS_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCert":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.trustStore = JKS_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ break;
+ case "shouldEnableSslAndFailIfProtocolsDontMatch":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.sslEnabledProtocols = Arrays.asList("TLSv1.1");
+ break;
+ case "shouldEnableSslAndFailIfCiphersDontMatch":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.sslCipherSuites = Arrays.asList("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
+ break;
case "shouldUseSimpleSandbox":
settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForSimpleSandbox();
break;
@@ -532,21 +588,21 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
}
@Test
- public void shouldEnableSslAndClientCertificateAuth() {
- final Cluster cluster = TestClientFactory.build().enableSsl(true)
- .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
- .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
- final Client client = cluster.connect();
+ public void shouldEnableSslAndClientCertificateAuthWithLegacyPem() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true)
+ .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
+ .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
+ final Client client = cluster.connect();
try {
- assertEquals("test", client.submit("'test'").one().getString());
+ assertEquals("test", client.submit("'test'").one().getString());
} finally {
cluster.close();
}
}
@Test
- public void shouldEnableSslAndClientCertificateAuthAndFailWithoutCert() {
+ public void shouldEnableSslAndClientCertificateAuthAndFailWithoutCertWithLegacyPem() {
final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS).sslSkipCertValidation(true).create();
final Client client = cluster.connect();
@@ -562,11 +618,11 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
}
@Test
- public void shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert() {
- final Cluster cluster = TestClientFactory.build().enableSsl(true)
- .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
- .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
- final Client client = cluster.connect();
+ public void shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCertWithLegacyPem() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true)
+ .keyCertChainFile(PEM_CLIENT_CRT).keyFile(PEM_CLIENT_KEY)
+ .keyPassword(KEY_PASS).trustCertificateChainFile(PEM_SERVER_CRT).create();
+ final Client client = cluster.connect();
try {
client.submit("'test'").one();
@@ -578,6 +634,100 @@ public class GremlinServerIntegrateTest extends AbstractGremlinServerIntegration
cluster.close();
}
}
+
+ @Test
+ public void shouldEnableSslAndClientCertificateAuthWithPkcs12() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(P12_CLIENT_KEY).keyStorePassword(KEY_PASS)
+ .keyStoreType(KEYSTORE_TYPE_PKCS12).trustStore(P12_CLIENT_TRUST).trustStorePassword(KEY_PASS).create();
+ final Client client = cluster.connect();
+
+ try {
+ assertEquals("test", client.submit("'test'").one().getString());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldEnableSslAndClientCertificateAuth() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_CLIENT_KEY).keyStorePassword(KEY_PASS)
+ .keyStoreType(KEYSTORE_TYPE_JKS).trustStore(JKS_CLIENT_TRUST).trustStorePassword(KEY_PASS).create();
+ final Client client = cluster.connect();
+
+ try {
+ assertEquals("test", client.submit("'test'").one().getString());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldEnableSslAndClientCertificateAuthAndFailWithoutCert() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS)
+ .keyStoreType(KEYSTORE_TYPE_JKS).sslSkipCertValidation(true).create();
+ final Client client = cluster.connect();
+
+ try {
+ client.submit("'test'").one();
+ fail("Should throw exception because ssl client auth is enabled on the server but client does not have a cert");
+ } catch (Exception x) {
+ final Throwable root = ExceptionUtils.getRootCause(x);
+ assertThat(root, instanceOf(TimeoutException.class));
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_CLIENT_KEY).keyStorePassword(KEY_PASS)
+ .keyStoreType(KEYSTORE_TYPE_JKS).trustStore(JKS_CLIENT_TRUST).trustStorePassword(KEY_PASS).create();
+ final Client client = cluster.connect();
+
+ try {
+ client.submit("'test'").one();
+ fail("Should throw exception because ssl client auth is enabled on the server but does not trust client's cert");
+ } catch (Exception x) {
+ final Throwable root = ExceptionUtils.getRootCause(x);
+ assertThat(root, instanceOf(TimeoutException.class));
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldEnableSslAndFailIfProtocolsDontMatch() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS)
+ .sslSkipCertValidation(true).sslEnabledProtocols(Arrays.asList("TLSv1.2")).create();
+ final Client client = cluster.connect();
+
+ try {
+ client.submit("'test'").one();
+ fail("Should throw exception because ssl client requires TLSv1.2 whereas server supports only TLSv1.1");
+ } catch (Exception x) {
+ final Throwable root = ExceptionUtils.getRootCause(x);
+ assertThat(root, instanceOf(TimeoutException.class));
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldEnableSslAndFailIfCiphersDontMatch() {
+ final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS)
+ .sslSkipCertValidation(true).sslCipherSuites(Arrays.asList("SSL_RSA_WITH_RC4_128_SHA")).create();
+ final Client client = cluster.connect();
+
+ try {
+ client.submit("'test'").one();
+ fail("Should throw exception because ssl client requires TLSv1.2 whereas server supports only TLSv1.1");
+ } catch (Exception x) {
+ final Throwable root = ExceptionUtils.getRootCause(x);
+ assertThat(root, instanceOf(TimeoutException.class));
+ } finally {
+ cluster.close();
+ }
+ }
@Test
public void shouldRespectHighWaterMarkSettingAndSucceed() throws Exception {
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
index 300a7f4..ced5247 100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
@@ -102,6 +102,7 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
settings.ssl.enabled = true;
settings.ssl.keyStore = JKS_SERVER_KEY;
settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
break;
case "shouldWorkWithAuth":
if (authSettings != null) {
@@ -113,6 +114,7 @@ abstract class AbstractGremlinServerChannelizerIntegrateTest extends AbstractGre
settings.ssl.enabled = true;
settings.ssl.keyStore = JKS_SERVER_KEY;
settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
if (authSettings != null) {
settings.authentication = getAuthSettings();
}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/client-key.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/client-key.jks b/gremlin-server/src/test/resources/client-key.jks
new file mode 100644
index 0000000..39df02b
Binary files /dev/null and b/gremlin-server/src/test/resources/client-key.jks differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/client-key.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/client-key.p12 b/gremlin-server/src/test/resources/client-key.p12
new file mode 100644
index 0000000..74f182c
Binary files /dev/null and b/gremlin-server/src/test/resources/client-key.p12 differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/client-trust.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/client-trust.jks b/gremlin-server/src/test/resources/client-trust.jks
new file mode 100644
index 0000000..d8b5479
Binary files /dev/null and b/gremlin-server/src/test/resources/client-trust.jks differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/client-trust.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/client-trust.p12 b/gremlin-server/src/test/resources/client-trust.p12
new file mode 100644
index 0000000..2100e94
Binary files /dev/null and b/gremlin-server/src/test/resources/client-trust.p12 differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server-key.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server-key.jks b/gremlin-server/src/test/resources/server-key.jks
new file mode 100644
index 0000000..85dbe67
Binary files /dev/null and b/gremlin-server/src/test/resources/server-key.jks differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server-key.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server-key.p12 b/gremlin-server/src/test/resources/server-key.p12
new file mode 100644
index 0000000..4d1aad7
Binary files /dev/null and b/gremlin-server/src/test/resources/server-key.p12 differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server-trust.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server-trust.jks b/gremlin-server/src/test/resources/server-trust.jks
new file mode 100644
index 0000000..a53cf47
Binary files /dev/null and b/gremlin-server/src/test/resources/server-trust.jks differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server-trust.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server-trust.p12 b/gremlin-server/src/test/resources/server-trust.p12
new file mode 100644
index 0000000..a055de0
Binary files /dev/null and b/gremlin-server/src/test/resources/server-trust.p12 differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server.jks b/gremlin-server/src/test/resources/server.jks
deleted file mode 100644
index 85dbe67..0000000
Binary files a/gremlin-server/src/test/resources/server.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/d05e3c56/gremlin-server/src/test/resources/server.p12
----------------------------------------------------------------------
diff --git a/gremlin-server/src/test/resources/server.p12 b/gremlin-server/src/test/resources/server.p12
deleted file mode 100644
index 4d1aad7..0000000
Binary files a/gremlin-server/src/test/resources/server.p12 and /dev/null differ
[7/9] tinkerpop git commit: TINKERPOP-2023 updated docs with creating
self-signed cert,
incorrect ssl configuration will prevent server from starting removed OPTIONAL
from needClientAuth
Posted by rd...@apache.org.
TINKERPOP-2023 updated docs with creating self-signed cert,
incorrect ssl configuration will prevent server from starting
removed OPTIONAL from needClientAuth
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/b77c0c7b
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/b77c0c7b
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/b77c0c7b
Branch: refs/heads/tp33
Commit: b77c0c7b55866bbbddd8d721142118b53fcfe154
Parents: bbc0265
Author: Robert Dale <ro...@gmail.com>
Authored: Fri Aug 17 17:35:41 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 17:35:41 2018 -0400
----------------------------------------------------------------------
.../src/reference/gremlin-applications.asciidoc | 59 ++++++++++++++++----
.../gremlin/server/AbstractChannelizer.java | 16 ++++--
2 files changed, 60 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/b77c0c7b/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc
index 8372a8a..1cd9964 100644
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@ -1155,10 +1155,10 @@ The following table describes the various configuration options that Gremlin Ser
|ssl.keyStore |The private key in JKS or PKCS#12 format. |_none_
|ssl.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
|ssl.keyStoreType |`JKS` (Java 8 default) or `PKCS12` (Java 9+ default) |_none_
-|ssl.needClientAuth | Optional. One of NONE, OPTIONAL, REQUIRE. Enables client certificate authentication at the enforcement level specified. Can be used in combination with Authenticator. |_none_
+|ssl.needClientAuth | Optional. One of NONE, REQUIRE. Enables client certificate authentication at the enforcement level specified. Can be used in combination with Authenticator. |_none_
|ssl.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|ssl.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
-|ssl.trustStore |Required when needClientAuth is OPTIONAL or REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
+|ssl.trustStore |Required when needClientAuth is REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
|ssl.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|strictTransactionManagement |Set to `true` to require `aliases` to be submitted on every requests, where the `aliases` become the scope of transaction management. |false
|threadPoolBoss |The number of threads available to Gremlin Server for accepting connections. Should always be set to `1`. |1
@@ -1249,7 +1249,47 @@ authentication: {
===== Quick Start
A quick way to get started with the `SimpleAuthenticator` is to use TinkerGraph for the "credentials graph" and the
-"sample" credential graph that is packaged with the server.
+"sample" credential graph that is packaged with the server. To secure the transport for the credentials,
+SSL should be enabled. For this Quick Start, a self-signed certificate will be created but this should not
+be used in a production environment.
+
+Generate the self-signed SSL certificate:
+
+[source,text]
+----
+$ keytool -genkey -alias localhost -keyalg RSA -keystore server.jks
+Enter keystore password:
+Re-enter new password:
+What is your first and last name?
+ [Unknown]: localhost
+What is the name of your organizational unit?
+ [Unknown]:
+What is the name of your organization?
+ [Unknown]:
+What is the name of your City or Locality?
+ [Unknown]:
+What is the name of your State or Province?
+ [Unknown]:
+What is the two-letter country code for this unit?
+ [Unknown]:
+Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
+ [no]: yes
+
+Enter key password for <localhost>
+ (RETURN if same as keystore password):
+----
+
+Next, uncomment the `keyStore` and `keyStorePassword` lines in `conf/gremlin-server-secure.yaml`.
+
+[source,yaml]
+----
+ssl: {
+ enabled: true,
+ sslEnabledProtocols: [TLSv1.2],
+ keyStore: server.jks,
+ keyStorePassword: changeit
+}
+----
[source,text]
----
@@ -1261,7 +1301,6 @@ $ bin/gremlin-server.sh conf/gremlin-server-secure.yaml
[INFO] GremlinServer - Configuring Gremlin Server from conf/gremlin-server-secure.yaml
...
-[WARN] AbstractChannelizer - Enabling SSL with self-signed certificate (NOT SUITABLE FOR PRODUCTION)
[INFO] AbstractChannelizer - SSL enabled
[INFO] SimpleAuthenticator - Initializing authentication with the org.apache.tinkerpop.gremlin.server.auth.SimpleAuthenticator
[INFO] SimpleAuthenticator - CredentialGraph initialized at CredentialGraph{graph=tinkergraph[vertices:1 edges:0]}
@@ -1269,19 +1308,18 @@ $ bin/gremlin-server.sh conf/gremlin-server-secure.yaml
[INFO] GremlinServer$1 - Channel started at port 8182.
----
-In addition to configuring the authenticator, `gremlin-server-secure.yaml` also enables SSL with a self-signed
-certificate. As SSL is enabled on the server it must also be enabled on the client when connecting. To connect to
-Gremlin Server with `gremlin-driver`, set the `credentials` and `enableSsl` when constructing the `Cluster`.
+As SSL is enabled on the server it must also be enabled on the client when connecting. To connect to
+Gremlin Server with `gremlin-driver`, set the `credentials`, `enableSsl`, and `trustStore` when constructing the `Cluster`.
[source,java]
Cluster cluster = Cluster.build().credentials("stephen", "password")
- .enableSsl(true).create();
+ .enableSsl(true).trustStore("server.jks").create();
If connecting with Gremlin Console, which utilizes `gremlin-driver` for remote script execution, use the provided
`conf/remote-secure.yaml` file when defining the remote. That file contains configuration for the username and
-password as well as enablement of SSL from the client side.
+password as well as enablement of SSL from the client side. Be sure to configure the trustStore if using self-signed certificates.
-Similarly, Gremlin Server can be configured for REST and security.
+Similarly, Gremlin Server can be configured for REST and security. Follow the steps above for configuring the SSL certificate.
[source,text]
----
@@ -1293,7 +1331,6 @@ $ bin/gremlin-server.sh conf/gremlin-server-rest-secure.yaml
[INFO] GremlinServer - Configuring Gremlin Server from conf/gremlin-server-secure.yaml
...
-[WARN] AbstractChannelizer - Enabling SSL with self-signed certificate (NOT SUITABLE FOR PRODUCTION)
[INFO] AbstractChannelizer - SSL enabled
[INFO] SimpleAuthenticator - Initializing authentication with the org.apache.tinkerpop.gremlin.server.auth.SimpleAuthenticator
[INFO] SimpleAuthenticator - CredentialGraph initialized at CredentialGraph{graph=tinkergraph[vertices:1 edges:0]}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/b77c0c7b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
----------------------------------------------------------------------
diff --git a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
index 2a29fec..d7f3ec1 100644
--- a/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
+++ b/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
@@ -19,6 +19,7 @@
package org.apache.tinkerpop.gremlin.server;
import io.netty.channel.EventLoopGroup;
+import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
@@ -305,6 +306,8 @@ public abstract class AbstractChannelizer extends ChannelInitializer<SocketChann
keystore.load(in, password);
}
kmf.init(keystore, password);
+ } else {
+ throw new IllegalStateException("keyStore must be configured when SSL is enabled.");
}
builder = SslContextBuilder.forServer(kmf);
@@ -323,8 +326,8 @@ public abstract class AbstractChannelizer extends ChannelInitializer<SocketChann
}
} catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
- logger.error("There was an error enabling SSL.", e);
- return null;
+ logger.error(e.getMessage());
+ throw new RuntimeException("There was an error enabling SSL.", e);
}
}
@@ -336,14 +339,19 @@ public abstract class AbstractChannelizer extends ChannelInitializer<SocketChann
if (null != sslSettings.sslEnabledProtocols && !sslSettings.sslEnabledProtocols.isEmpty()) {
builder.protocols(sslSettings.sslEnabledProtocols.toArray(new String[] {}));
}
+
+ if (null != sslSettings.needClientAuth && ClientAuth.OPTIONAL == sslSettings.needClientAuth) {
+ logger.warn("needClientAuth = OPTIONAL is not a secure configuration. Setting to REQUIRE.");
+ sslSettings.needClientAuth = ClientAuth.REQUIRE;
+ }
builder.clientAuth(sslSettings.needClientAuth).sslProvider(provider);
try {
return builder.build();
} catch (SSLException ssle) {
- logger.error("There was an error enabling SSL", ssle);
- return null;
+ logger.error(ssle.getMessage());
+ throw new RuntimeException("There was an error enabling SSL.", ssle);
}
}
}
[3/9] tinkerpop git commit: TINKERPOP-2023 updated docs
Posted by rd...@apache.org.
TINKERPOP-2023 updated docs
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/5d893cfa
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/5d893cfa
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/5d893cfa
Branch: refs/heads/tp33
Commit: 5d893cfada0e257be1b6561faaad74c66e9cf636
Parents: ca83fbd
Author: Robert Dale <ro...@gmail.com>
Authored: Sun Aug 12 22:23:33 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400
----------------------------------------------------------------------
.../src/reference/gremlin-applications.asciidoc | 27 +++++++++++++++-----
1 file changed, 21 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/5d893cfa/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/reference/gremlin-applications.asciidoc b/docs/src/reference/gremlin-applications.asciidoc
index f4f50c1..1f64f46 100644
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@ -732,7 +732,10 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.keepAliveInterval |Length of time in milliseconds to wait on an idle connection before sending a keep-alive request. Set to zero to disable this feature. |1800000
|connectionPool.keyCertChainFile |The X.509 certificate chain file in PEM format. |_none_
|connectionPool.keyFile |The `PKCS#8` private key file in PEM format. |_none_
-|connectionPool.keyPassword |The password of the `keyFile` if it is password-protected |_none_
+|connectionPool.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
+|connectionPool.keyStore |The private key in JKS or PKCS#12 format. |_none_
+|connectionPool.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
+|connectionPool.keyStoreType |JKS (Java 8 default) or PKCS#12 (Java 9+ default)|_none_
|connectionPool.maxContentLength |The maximum length in bytes that a message can be sent to the server. This number can be no greater than the setting of the same name in the server configuration. |65536
|connectionPool.maxInProcessPerConnection |The maximum number of in-flight requests that can occur on a connection. |4
|connectionPool.maxSimultaneousUsagePerConnection |The maximum number of times that a connection can be borrowed from the pool simultaneously. |16
@@ -745,7 +748,12 @@ The following table describes the various configuration options for the Gremlin
|connectionPool.reconnectInitialDelay |The amount of time in milliseconds to wait before trying to reconnect to a dead host for the first time. |1000
|connectionPool.reconnectInterval |The amount of time in milliseconds to wait before trying to reconnect to a dead host. This interval occurs after the time specified by the `reconnectInitialDelay`. |1000
|connectionPool.resultIterationBatchSize |The override value for the size of the result batches to be returned from the server. |64
-|connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the `TrustManager` will be established with a self-signed certificate which is NOT suitable for production purposes. |_none_
+|connectionPool.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
+|connectionPool.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
+|connectionPool.sslSkipCertValidation |Configures the `TrustManager` to trust all certs without any validation. Should not be used in production.|false
+|connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be uesd. |_none_
+|connectionPool.trustStore |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
+|connectionPool.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|hosts |The list of hosts that the driver will connect to. |localhost
|jaasEntry |Sets the `AuthProperties.Property.JAAS_ENTRY` properties for authentication to Gremlin Server. |_none_
|nioPoolSize |Size of the pool for handling request/response operations. |available processors
@@ -1148,11 +1156,18 @@ The following table describes the various configuration options that Gremlin Ser
|serializers[X].className |The full class name of the `MessageSerializer` implementation. |_none_
|serializers[X].config |A `Map` containing `MessageSerializer` specific configurations. |_none_
|ssl.enabled |Determines if SSL is turned on or not. |false
-|ssl.keyCertChainFile |The X.509 certificate chain file in PEM format. If this value is not present and `ssl.enabled` is `true` a self-signed certificate will be used (not suitable for production). |_none_
-|ssl.keyFile |The `PKCS#8` private key file in PEM format. If this value is not present and `ssl.enabled` is `true` a self-signed certificate will be used (not suitable for production). |_none_
-|ssl.keyPassword |The password of the `keyFile` if it is password-protected |_none_
+|ssl.keyCertChainFile |The X.509 certificate chain file in PEM format.|_none_
+|ssl.keyFile |The `PKCS#8` private key file in PEM format.|_none_
+|ssl.keyPassword |The password of the `keyFile` if it is password-protected. |_none_
+|ssl.keyStore |The private key in JKS or PKCS#12 format. |_none_
+|ssl.keyStorePassword |The password of the `keyStore` if it is password-protected. |_none_
+|ssl.keyStoreType |JKS (Java 8 default) or PKCS#12 (Java 9+ default) |_none_
|ssl.needClientAuth | Optional. One of NONE, OPTIONAL, REQUIRE. Enables client certificate authentication at the enforcement level specified. Can be used in combination with Authenticator. |_none_
+|ssl.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
+|ssl.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
|ssl.trustCertChainFile | Required when needClientAuth is OPTIONAL or REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. The file should contain an X.509 certificate chain in PEM format. |_none_
+|ssl.trustStore |Required when needClientAuth is OPTIONAL or REQUIRE. Trusted certificates for verifying the remote endpoint's certificate. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
+|ssl.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|strictTransactionManagement |Set to `true` to require `aliases` to be submitted on every requests, where the `aliases` become the scope of transaction management. |false
|threadPoolBoss |The number of threads available to Gremlin Server for accepting connections. Should always be set to `1`. |1
|threadPoolWorker |The number of threads available to Gremlin Server for processing non-blocking reads and writes. |1
@@ -1944,7 +1959,7 @@ The Gremlin Server can also be started as a link:https://hub.docker.com/r/tinker
[source,text]
----
$ docker run tinkerpop/gremlin-server:x.y.z
-[INFO] GremlinServer -
+[INFO] GremlinServer -
\,,,/
(o o)
-----oOOo-(3)-oOOo-----
[9/9] tinkerpop git commit: merge tp32
Posted by rd...@apache.org.
merge tp32
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/e1c46b26
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/e1c46b26
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/e1c46b26
Branch: refs/heads/tp33
Commit: e1c46b2656ecbb4b5bbf059105bffe0dcd278e4a
Parents: 98ab1b0 e937a3a
Author: Robert Dale <ro...@gmail.com>
Authored: Tue Sep 4 07:42:32 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Tue Sep 4 11:41:17 2018 -0400
----------------------------------------------------------------------
CHANGELOG.asciidoc | 1 +
.../src/reference/gremlin-applications.asciidoc | 82 +++++--
.../upgrade/release-3.2.x-incubating.asciidoc | 26 +++
gremlin-console/conf/remote-secure.yaml | 3 +-
.../tinkerpop/gremlin/driver/Cluster.java | 180 ++++++++++++++-
.../tinkerpop/gremlin/driver/Settings.java | 83 +++++++
.../tinkerpop/gremlin/driver/SettingsTest.java | 17 ++
.../conf/gremlin-server-rest-secure.yaml | 7 +-
gremlin-server/conf/gremlin-server-secure.yaml | 7 +-
.../gremlin/server/AbstractChannelizer.java | 91 ++++++--
.../tinkerpop/gremlin/server/Settings.java | 66 +++++-
.../AbstractGremlinServerIntegrationTest.java | 13 ++
.../server/GremlinServerAuthIntegrateTest.java | 4 +-
.../GremlinServerAuthKrb5IntegrateTest.java | 5 +-
.../server/GremlinServerIntegrateTest.java | 224 ++++++++++++++++---
...ctGremlinServerChannelizerIntegrateTest.java | 12 +-
.../src/test/resources/client-key.jks | Bin 0 -> 2241 bytes
.../src/test/resources/client-key.p12 | Bin 0 -> 2583 bytes
.../src/test/resources/client-trust.jks | Bin 0 -> 969 bytes
.../src/test/resources/client-trust.p12 | Bin 0 -> 1202 bytes
.../src/test/resources/server-key.jks | Bin 0 -> 2258 bytes
.../src/test/resources/server-key.p12 | Bin 0 -> 2613 bytes
.../src/test/resources/server-trust.jks | Bin 0 -> 952 bytes
.../src/test/resources/server-trust.p12 | Bin 0 -> 1186 bytes
24 files changed, 725 insertions(+), 96 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/CHANGELOG.asciidoc
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/docs/src/reference/gremlin-applications.asciidoc
----------------------------------------------------------------------
diff --cc docs/src/reference/gremlin-applications.asciidoc
index e175d4b,1cd9964..83b52b6
--- a/docs/src/reference/gremlin-applications.asciidoc
+++ b/docs/src/reference/gremlin-applications.asciidoc
@@@ -766,9 -742,14 +766,13 @@@ The following table describes the vario
|connectionPool.minInProcessPerConnection |The minimum number of in-flight requests that can occur on a connection. |1
|connectionPool.minSimultaneousUsagePerConnection |The maximum number of times that a connection can be borrowed from the pool simultaneously. |8
|connectionPool.minSize |The minimum size of a connection pool for a host. |2
-|connectionPool.reconnectInitialDelay |The amount of time in milliseconds to wait before trying to reconnect to a dead host for the first time. |1000
-|connectionPool.reconnectInterval |The amount of time in milliseconds to wait before trying to reconnect to a dead host. This interval occurs after the time specified by the `reconnectInitialDelay`. |1000
+|connectionPool.reconnectInterval |The amount of time in milliseconds to wait before trying to reconnect to a dead host. |1000
|connectionPool.resultIterationBatchSize |The override value for the size of the result batches to be returned from the server. |64
- |connectionPool.trustCertChainFile |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the `TrustManager` will be established with a self-signed certificate which is NOT suitable for production purposes. |_none_
+ |connectionPool.sslCipherSuites |The list of JSSE ciphers to support for SSL connections. If specified, only the ciphers that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
+ |connectionPool.sslEnabledProtocols |The list of SSL protocols to support for SSL connections. If specified, only the protocols that are listed and supported will be enabled. If not specified, the JVM default is used. |_none_
+ |connectionPool.sslSkipCertValidation |Configures the `TrustManager` to trust all certs without any validation. Should not be used in production.|false
+ |connectionPool.trustStore |File location for a SSL Certificate Chain to use when SSL is enabled. If this value is not provided and SSL is enabled, the default `TrustManager` will be used. |_none_
+ |connectionPool.trustStorePassword |The password of the `trustStore` if it is password-protected |_none_
|hosts |The list of hosts that the driver will connect to. |localhost
|jaasEntry |Sets the `AuthProperties.Property.JAAS_ENTRY` properties for authentication to Gremlin Server. |_none_
|nioPoolSize |Size of the pool for handling request/response operations. |available processors
@@@ -1313,8 -1246,50 +1320,48 @@@ authentication:
config: {
credentialsDb: conf/tinkergraph-credentials.properties}}
-===== Quick Start
-
A quick way to get started with the `SimpleAuthenticator` is to use TinkerGraph for the "credentials graph" and the
- "sample" credential graph that is packaged with the server.
+ "sample" credential graph that is packaged with the server. To secure the transport for the credentials,
+ SSL should be enabled. For this Quick Start, a self-signed certificate will be created but this should not
+ be used in a production environment.
+
+ Generate the self-signed SSL certificate:
+
+ [source,text]
+ ----
+ $ keytool -genkey -alias localhost -keyalg RSA -keystore server.jks
+ Enter keystore password:
+ Re-enter new password:
+ What is your first and last name?
+ [Unknown]: localhost
+ What is the name of your organizational unit?
+ [Unknown]:
+ What is the name of your organization?
+ [Unknown]:
+ What is the name of your City or Locality?
+ [Unknown]:
+ What is the name of your State or Province?
+ [Unknown]:
+ What is the two-letter country code for this unit?
+ [Unknown]:
+ Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
+ [no]: yes
+
+ Enter key password for <localhost>
+ (RETURN if same as keystore password):
+ ----
+
+ Next, uncomment the `keyStore` and `keyStorePassword` lines in `conf/gremlin-server-secure.yaml`.
+
+ [source,yaml]
+ ----
+ ssl: {
+ enabled: true,
+ sslEnabledProtocols: [TLSv1.2],
+ keyStore: server.jks,
+ keyStorePassword: changeit
+ }
+ ----
[source,text]
----
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/docs/src/upgrade/release-3.2.x-incubating.asciidoc
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-console/conf/remote-secure.yaml
----------------------------------------------------------------------
diff --cc gremlin-console/conf/remote-secure.yaml
index 592adcc,b0a7309..97b756b
--- a/gremlin-console/conf/remote-secure.yaml
+++ b/gremlin-console/conf/remote-secure.yaml
@@@ -29,5 -29,6 +29,6 @@@ port: 818
username: stephen
password: password
connectionPool: {
- enableSsl: true}
+ enableSsl: true,
+ sslEnabledProtocols: [TLSv1.2] }
-serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}
+serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Settings.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/SettingsTest.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/conf/gremlin-server-rest-secure.yaml
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/conf/gremlin-server-secure.yaml
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/Settings.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthIntegrateTest.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthKrb5IntegrateTest.java
----------------------------------------------------------------------
diff --cc gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthKrb5IntegrateTest.java
index c102446,0000000..a6f8f91
mode 100644,000000..100644
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthKrb5IntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerAuthKrb5IntegrateTest.java
@@@ -1,276 -1,0 +1,279 @@@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.server;
+
+import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.log4j.Logger;
+import org.apache.tinkerpop.gremlin.driver.Client;
+import org.apache.tinkerpop.gremlin.driver.Cluster;
+import org.apache.tinkerpop.gremlin.driver.MessageSerializer;
+import org.apache.tinkerpop.gremlin.driver.exception.ResponseException;
+import org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0;
+import org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0;
+import org.apache.tinkerpop.gremlin.server.auth.Krb5Authenticator;
+import org.apache.tinkerpop.gremlin.util.Log4jRecordingAppender;
+import org.ietf.jgss.GSSException;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.login.LoginException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * @author Marc de Lignie
+ */
+public class GremlinServerAuthKrb5IntegrateTest extends AbstractGremlinServerIntegrationTest {
+ private static final org.slf4j.Logger logger = LoggerFactory.getLogger(GremlinServerAuthKrb5IntegrateTest.class);
+ private Log4jRecordingAppender recordingAppender = null;
+
+ static final String TESTCONSOLE = "GremlinConsole";
+ static final String TESTCONSOLE_NOT_LOGGED_IN = "UserNotLoggedIn";
+
+ private KdcFixture kdcServer;
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ setupForEachTest();
+ try {
+ final String buildDir = System.getProperty("build.dir");
+ kdcServer = new KdcFixture(buildDir +
+ "/test-classes/org/apache/tinkerpop/gremlin/server/gremlin-console-jaas.conf");
+ kdcServer.setUp();
+ } catch(Exception e) {
+ logger.warn(e.getMessage());
+ }
+ super.setUp();
+ }
+
+ public void setupForEachTest() {
+ recordingAppender = new Log4jRecordingAppender();
+ final Logger rootLogger = Logger.getRootLogger();
+ rootLogger.addAppender(recordingAppender);
+ }
+
+ @After
+ public void teardownForEachTest() throws Exception {
+ final Logger rootLogger = Logger.getRootLogger();
+ rootLogger.removeAppender(recordingAppender);
+ kdcServer.close();
+ }
+
+ /**
+ * Configure specific Gremlin Server settings for specific tests.
+ */
+ @Override
+ public Settings overrideSettings(final Settings settings) {
+ settings.host = kdcServer.hostname;
+ final Settings.SslSettings sslConfig = new Settings.SslSettings();
+ sslConfig.enabled = false;
+ settings.ssl = sslConfig;
+ final Settings.AuthenticationSettings authSettings = new Settings.AuthenticationSettings();
+ settings.authentication = authSettings;
+ authSettings.className = Krb5Authenticator.class.getName();
+ final Map<String,Object> authConfig = new HashMap<>();
+ authConfig.put("principal", kdcServer.serverPrincipal);
+ authConfig.put("keytab", kdcServer.serviceKeytabFile.getAbsolutePath());
+ authSettings.config = authConfig;
+
+ final String nameOfTest = name.getMethodName();
+ switch (nameOfTest) {
+ case "shouldAuthenticateWithDefaults":
+ case "shouldFailWithoutClientJaasEntry":
+ case "shouldFailWithoutClientTicketCache":
+ break;
+ case "shouldFailWithNonexistentServerPrincipal":
+ authConfig.put("principal", "no-service");
+ break;
+ case "shouldFailWithEmptyServerKeytab":
+ final File keytabFile = new File(".", "no-file");
+ authConfig.put("keytab", keytabFile);
+ break;
+ case "shouldFailWithWrongServerKeytab":
+ final String principal = "no-principal/somehost@TEST.COM";
+ try { kdcServer.createPrincipal(principal); } catch(Exception e) {
+ logger.error("Cannot create principal in overrideSettings(): " + e.getMessage());
+ };
+ authConfig.put("principal", principal);
+ break;
+ case "shouldAuthenticateWithSsl":
+ sslConfig.enabled = true;
++ sslConfig.keyStore = JKS_SERVER_KEY;
++ sslConfig.keyStorePassword = KEY_PASS;
++ sslConfig.keyStoreType = KEYSTORE_TYPE_JKS;
+ break;
+ case "shouldAuthenticateWithQop":
+ break;
+ }
+ return settings;
+ }
+
+ @Test
+ public void shouldAuthenticateWithDefaults() throws Exception {
+ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).create();
+ final Client client = cluster.connect();
+ try {
+ assertEquals(2, client.submit("1+1").all().get().get(0).getInt());
+ assertEquals(3, client.submit("1+2").all().get().get(0).getInt());
+ assertEquals(4, client.submit("1+3").all().get().get(0).getInt());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldFailWithoutClientJaasEntry() throws Exception {
+ final Cluster cluster = TestClientFactory.build().protocol(kdcServer.serverPrincipalName)
+ .addContactPoint(kdcServer.hostname).create();
+ final Client client = cluster.connect();
+ try {
+ client.submit("1+1").all().get();
+ fail("This should not succeed as the client config does not contain a JaasEntry");
+ } catch(Exception ex) {
+ final Throwable root = ExceptionUtils.getRootCause(ex);
+ assertTrue(root instanceof ResponseException || root instanceof GSSException);
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldFailWithoutClientTicketCache() throws Exception {
+ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE_NOT_LOGGED_IN)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).create();
+ final Client client = cluster.connect();
+ try {
+ client.submit("1+1").all().get();
+ fail("This should not succeed as the client config does not contain a valid ticket cache");
+ } catch(Exception ex) {
+ final Throwable root = ExceptionUtils.getRootCause(ex);
+ assertEquals(LoginException.class, root.getClass());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldFailWithNonexistentServerPrincipal() throws Exception {
+ assertFailedLogin();
+ }
+
+ @Test
+ public void shouldFailWithEmptyServerKeytab() throws Exception {
+ assertFailedLogin();
+ }
+
+ @Test
+ public void shouldFailWithWrongServerKeytab() throws Exception {
+ assertFailedLogin();
+ }
+
+ @Test
+ public void shouldAuthenticateWithQop() throws Exception {
+ final String oldQop = System.getProperty("javax.security.sasl.qop", "");
+ System.setProperty("javax.security.sasl.qop", "auth-conf");
+ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).create();
+ final Client client = cluster.connect();
+ try {
+ assertEquals(2, client.submit("1+1").all().get().get(0).getInt());
+ assertEquals(3, client.submit("1+2").all().get().get(0).getInt());
+ assertEquals(4, client.submit("1+3").all().get().get(0).getInt());
+ } finally {
+ cluster.close();
+ System.setProperty("javax.security.sasl.qop", oldQop);
+ }
+ }
+
+ @Test
+ public void shouldAuthenticateWithSsl() throws Exception {
- final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE).enableSsl(true)
++ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE).enableSsl(true).sslSkipCertValidation(true)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).create();
+ final Client client = cluster.connect();
+ try {
+ assertEquals(2, client.submit("1+1").all().get().get(0).getInt());
+ assertEquals(3, client.submit("1+2").all().get().get(0).getInt());
+ assertEquals(4, client.submit("1+3").all().get().get(0).getInt());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldAuthenticateWithSerializeResultToStringV1() throws Exception {
+ final MessageSerializer serializer = new GryoMessageSerializerV1d0();
+ final Map<String,Object> config = new HashMap<>();
+ config.put("serializeResultToString", true);
+ serializer.configure(config, null);
+ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).serializer(serializer).create();
+ final Client client = cluster.connect();
+ try {
+ assertEquals(2, client.submit("1+1").all().get().get(0).getInt());
+ assertEquals(3, client.submit("1+2").all().get().get(0).getInt());
+ assertEquals(4, client.submit("1+3").all().get().get(0).getInt());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ @Test
+ public void shouldAuthenticateWithSerializeResultToStringV3() throws Exception {
+ final MessageSerializer serializer = new GryoMessageSerializerV3d0();
+ final Map<String, Object> config = new HashMap<>();
+ config.put("serializeResultToString", true);
+ serializer.configure(config, null);
+ final Cluster cluster = TestClientFactory.build().jaasEntry(TESTCONSOLE)
+ .protocol(kdcServer.serverPrincipalName).addContactPoint(kdcServer.hostname).serializer(serializer).create();
+ final Client client = cluster.connect();
+ try {
+ assertEquals(2, client.submit("1+1").all().get().get(0).getInt());
+ assertEquals(3, client.submit("1+2").all().get().get(0).getInt());
+ assertEquals(4, client.submit("1+3").all().get().get(0).getInt());
+ } finally {
+ cluster.close();
+ }
+ }
+
+ /**
+ * Tries to force the logger to flush fully or at least wait until it does.
+ */
+ private void assertFailedLogin() throws Exception {
+ stopServer();
+
+ boolean logMessageIdentified = false;
+ for (int ix = 0; ix < 10 && !logMessageIdentified; ix++) {
+ logMessageIdentified = recordingAppender.logContainsAny("WARN - Failed to login to kdc");
+ if (!logMessageIdentified) Thread.sleep(1000);
+ }
+
+ assertThat(logMessageIdentified, is(true));
+ }
+}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
----------------------------------------------------------------------
diff --cc gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
index 0de3718,2198682..db2727a
--- a/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
+++ b/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerIntegrateTest.java
@@@ -222,25 -227,76 +226,79 @@@ public class GremlinServerIntegrateTes
settings.ssl = new Settings.SslSettings();
settings.ssl.enabled = true;
settings.ssl.needClientAuth = ClientAuth.REQUIRE;
- settings.ssl.keyCertChainFile = SERVER_CRT;
- settings.ssl.keyFile = SERVER_KEY;
- settings.ssl.keyPassword =KEY_PASS;
+ settings.ssl.keyCertChainFile = PEM_SERVER_CRT;
+ settings.ssl.keyFile = PEM_SERVER_KEY;
+ settings.ssl.keyPassword = KEY_PASS;
// Trust ONLY the server cert
- settings.ssl.trustCertChainFile = SERVER_CRT;
- break;
+ settings.ssl.trustCertChainFile = PEM_SERVER_CRT;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthWithPkcs12":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = P12_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_PKCS12;
+ settings.ssl.trustStore = P12_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuth":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.trustStore = JKS_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutCert":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.trustStore = JKS_SERVER_TRUST;
+ settings.ssl.trustStorePassword = KEY_PASS;
+ break;
+ case "shouldEnableSslAndClientCertificateAuthAndFailWithoutTrustedClientCert":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.needClientAuth = ClientAuth.REQUIRE;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ break;
+ case "shouldEnableSslAndFailIfProtocolsDontMatch":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.sslEnabledProtocols = Arrays.asList("TLSv1.1");
+ break;
+ case "shouldEnableSslAndFailIfCiphersDontMatch":
+ settings.ssl = new Settings.SslSettings();
+ settings.ssl.enabled = true;
+ settings.ssl.keyStore = JKS_SERVER_KEY;
+ settings.ssl.keyStorePassword = KEY_PASS;
+ settings.ssl.keyStoreType = KEYSTORE_TYPE_JKS;
+ settings.ssl.sslCipherSuites = Arrays.asList("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
+ break;
case "shouldUseSimpleSandbox":
- settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForSimpleSandbox();
+ settings.scriptEngines.get("gremlin-groovy").plugins.put(GroovyCompilerGremlinPlugin.class.getName(), getScriptEngineConfForSimpleSandbox());
+ // remove the script because it isn't used in the test but also because it's not CompileStatic ready
+ settings.scriptEngines.get("gremlin-groovy").plugins.remove(ScriptFileGremlinPlugin.class.getName());
break;
case "shouldUseInterpreterMode":
- settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForInterpreterMode();
+ settings.scriptEngines.get("gremlin-groovy").plugins.put(GroovyCompilerGremlinPlugin.class.getName(), getScriptEngineConfForInterpreterMode());
break;
case "shouldReceiveFailureTimeOutOnScriptEvalOfOutOfControlLoop":
- settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForTimedInterrupt();
+ settings.scriptEngines.get("gremlin-groovy").plugins.put(GroovyCompilerGremlinPlugin.class.getName(), getScriptEngineConfForTimedInterrupt());
break;
case "shouldUseBaseScript":
+ settings.scriptEngines.get("gremlin-groovy").plugins.put(GroovyCompilerGremlinPlugin.class.getName(), getScriptEngineConfForBaseScript());
settings.scriptEngines.get("gremlin-groovy").config = getScriptEngineConfForBaseScript();
break;
case "shouldReturnInvalidRequestArgsWhenBindingCountExceedsAllowable":
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/e1c46b26/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/channel/AbstractGremlinServerChannelizerIntegrateTest.java
----------------------------------------------------------------------
[4/9] tinkerpop git commit: TINKERPOP-2023 default to TLSv1.2,
updated upgrade notes
Posted by rd...@apache.org.
TINKERPOP-2023 default to TLSv1.2, updated upgrade notes
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/ca83fbdf
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/ca83fbdf
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/ca83fbdf
Branch: refs/heads/tp33
Commit: ca83fbdfdc885a9774ba1dbc17b3d9df75c49137
Parents: e3b4ae5
Author: Robert Dale <ro...@gmail.com>
Authored: Sun Aug 12 21:50:02 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400
----------------------------------------------------------------------
CHANGELOG.asciidoc | 1 +
.../upgrade/release-3.2.x-incubating.asciidoc | 25 ++++++++++++++++++++
gremlin-console/conf/remote-secure.yaml | 2 +-
.../conf/gremlin-server-rest-secure.yaml | 1 +
gremlin-server/conf/gremlin-server-secure.yaml | 1 +
5 files changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/CHANGELOG.asciidoc
----------------------------------------------------------------------
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index eb1a6c5..9dec8df 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -23,6 +23,7 @@ image::https://raw.githubusercontent.com/apache/tinkerpop/master/docs/static/ima
[[release-3-2-10]]
=== TinkerPop 3.2.10 (Release Date: NOT OFFICIALLY RELEASED YET)
+* SSL security enhancements
* Fixed problem with Gremlin Server sometimes returning an additional message after a failure.
* Allowed spaces in classpath for `gremlin-server.bat`.
* Modified Maven archetype for Gremlin Server to use remote traversals rather than scripts.
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/docs/src/upgrade/release-3.2.x-incubating.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/upgrade/release-3.2.x-incubating.asciidoc b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
index af03937..9b0a120 100644
--- a/docs/src/upgrade/release-3.2.x-incubating.asciidoc
+++ b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
@@ -29,6 +29,31 @@ Please see the link:https://github.com/apache/tinkerpop/blob/3.2.10/CHANGELOG.as
=== Upgrading for Users
+==== SSL Security
+
+TinkerPop improves its security posture by removing insecure defaults and adding forward-looking standards support.
+
+Gremlin Server no longer supports automatically creating self-signed certificates.
+Self-signed certificates can still be created manually outside of Gremlin Server.
+If ssl is enabled, a key store must be configured.
+
+Cluster client no longer trusts all certs by default as this is an insecure configuration.
+Instead, if no trust store is configured, Cluster will use the default CA certs.
+To revert to the previous behavior and accept all certs, it must be explicitly configured.
+
+This release introduces JKS and PKCS12 support. JKS is the legacy Java Key Store. PKCS12 has better cross-platform support and is gaining in adoption.
+Be aware that JKS is the default on Java 8. Java 9 and higher use PKCS12 as the default. Both Java keytool and OpenSSL tools can create, read, update PKCS12 files.
+
+Other new features include specifying SSL protocols and cipher suites.
+The packaged `*-secure.yaml` files now restrict the protocol to `TLSv1.2` by default.
+
+PEM-based configurations are deprecated and may be removed in a future release.
+
+See the section on configuring SSL.
+
+link:https://issues.apache.org/jira/browse/TINKERPOP-2022[TINKERPOP-2022]
+link:https://issues.apache.org/jira/browse/TINKERPOP-2023[TINKERPOP-2023]
+
==== Bulk Import and Export
TinkerPop has provided some general methods for importing and exporting data, but more and more graph providers are
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-console/conf/remote-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-console/conf/remote-secure.yaml b/gremlin-console/conf/remote-secure.yaml
index c7a2c44..b0a7309 100644
--- a/gremlin-console/conf/remote-secure.yaml
+++ b/gremlin-console/conf/remote-secure.yaml
@@ -30,5 +30,5 @@ username: stephen
password: password
connectionPool: {
enableSsl: true,
- sslSkipCertValidation: true }
+ sslEnabledProtocols: [TLSv1.2] }
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-rest-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-rest-secure.yaml b/gremlin-server/conf/gremlin-server-rest-secure.yaml
index fcfbba1..2f4db91 100644
--- a/gremlin-server/conf/gremlin-server-rest-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-rest-secure.yaml
@@ -70,6 +70,7 @@ authentication: {
credentialsDb: conf/tinkergraph-credentials.properties}}
ssl: {
enabled: true,
+ sslEnabledProtocols: [TLSv1.2],
# You must configure a keyStore!
#keyStore: server.jks,
#keyStorePassword: changeit
http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-secure.yaml b/gremlin-server/conf/gremlin-server-secure.yaml
index af46c59..637af12 100644
--- a/gremlin-server/conf/gremlin-server-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-secure.yaml
@@ -74,6 +74,7 @@ authentication: {
credentialsDb: conf/tinkergraph-credentials.properties}}
ssl: {
enabled: true,
+ sslEnabledProtocols: [TLSv1.2],
# You must configure a keyStore!
#keyStore: server.jks,
#keyStorePassword: changeit