You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tuweni.apache.org by to...@apache.org on 2023/01/19 08:35:31 UTC
[incubator-tuweni] branch main updated: Add TLS options to server
This is an automated email from the ASF dual-hosted git repository.
toulmean pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-tuweni.git
The following commit(s) were added to refs/heads/main by this push:
new 0fee5ab1c Add TLS options to server
new a7e72b5ee Merge pull request #492 from atoulme/add_tls
0fee5ab1c is described below
commit 0fee5ab1cfa6154f8fddd29e241add62af1a6a39
Author: Antoine Toulme <an...@lunar-ocean.com>
AuthorDate: Mon Jan 16 23:00:43 2023 -0800
Add TLS options to server
---
.../kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCApp.kt | 14 ++++++++++++--
.../kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfig.kt | 6 ++++++
.../org/apache/tuweni/jsonrpc/app/JSONRPCConfigTest.kt | 2 ++
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCApp.kt b/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCApp.kt
index 532d41369..1bc3f6ba6 100644
--- a/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCApp.kt
+++ b/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCApp.kt
@@ -110,8 +110,6 @@ class JSONRPCApplication(
fun run() {
logger.info("JSON-RPC proxy starting")
val client = JSONRPCClient(vertx, config.endpointUrl(), basicAuthenticationEnabled = config.endpointBasicAuthEnabled(), basicAuthenticationUsername = config.endpointBasicAuthUsername(), basicAuthenticationPassword = config.endpointBasicAuthPassword())
- // TODO allow more options such as allowlist of certificates, enforce client authentication.
- val trustOptions = VertxTrustOptions.recordClientFingerprints(config.clientFingerprintsFile())
val allowListHandler = MethodAllowListHandler(config.allowedMethods()) { req ->
try {
@@ -154,6 +152,18 @@ class JSONRPCApplication(
val loggingHandler = LoggingHandler(throttlingHandler::handleRequest, "jsonrpclog")
val handler = MeteredHandler(successCounter, failureCounter, loggingHandler::handleRequest)
+
+ val trustOptions = when (config.serverSecurity()) {
+ JSONRPCConfig.ServerSecurity.RECORD ->
+ VertxTrustOptions.recordClientFingerprints(config.clientFingerprintsFile())
+ JSONRPCConfig.ServerSecurity.ALLOWLIST ->
+ VertxTrustOptions.allowlistClients(config.clientFingerprintsFile())
+ JSONRPCConfig.ServerSecurity.CA ->
+ VertxTrustOptions.allowlistClients(config.clientFingerprintsFile(), true)
+ JSONRPCConfig.ServerSecurity.TOFU ->
+ VertxTrustOptions.trustClientOnFirstAccess(config.clientFingerprintsFile())
+ }
+
val server = JSONRPCServer(
vertx,
config.port(), config.networkInterface(),
diff --git a/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfig.kt b/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfig.kt
index 509aab430..58f0e96c5 100644
--- a/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfig.kt
+++ b/jsonrpc-app/src/main/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfig.kt
@@ -39,6 +39,7 @@ class JSONRPCConfig(val filePath: Path? = null) {
.addInteger("port", 18545, "JSON-RPC server port", PropertyValidator.isValidPort())
.addString("networkInterface", "127.0.0.1", "JSON-RPC server network interface", null)
.addString("clientFingerprintsFile", "fingerprints.txt", "File recording client connection fingerprints", null)
+ .addString("serverSecurity", "record", "Server security mode: record, allowlist, ca, tofu", null)
.addBoolean("ssl", false, "Whether the JSON-RPC server should serve data over SSL", null)
.addBoolean("basicAuth", false, "Whether the JSON-RPC server should authenticate incoming requests with HTTP Basic Authentication", null)
.addString("basicAuthUsername", "", "HTTP Basic Auth username", null)
@@ -64,6 +65,10 @@ class JSONRPCConfig(val filePath: Path? = null) {
val config = if (filePath != null) Configuration.fromToml(filePath, schema()) else Configuration.empty(schema())
+ enum class ServerSecurity {
+ RECORD, ALLOWLIST, CA, TOFU
+ }
+
fun numberOfThreads() = config.getInteger("numberOfThreads")
fun metricsPort() = config.getInteger("metricsPort")
fun metricsNetworkInterface() = config.getString("metricsNetworkInterface")
@@ -73,6 +78,7 @@ class JSONRPCConfig(val filePath: Path? = null) {
fun port() = config.getInteger("port")
fun networkInterface() = config.getString("networkInterface")
fun clientFingerprintsFile(): Path = Paths.get(config.getString("clientFingerprintsFile"))
+ fun serverSecurity(): ServerSecurity = ServerSecurity.valueOf(config.getString("serverSecurity"))
fun ssl() = config.getBoolean("ssl")
fun useBasicAuthentication() = config.getBoolean("basicAuth")
fun basicAuthUsername() = config.getString("basicAuthUsername")
diff --git a/jsonrpc-app/src/test/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfigTest.kt b/jsonrpc-app/src/test/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfigTest.kt
index bbc34e9e8..52230b539 100644
--- a/jsonrpc-app/src/test/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfigTest.kt
+++ b/jsonrpc-app/src/test/kotlin/org/apache/tuweni/jsonrpc/app/JSONRPCConfigTest.kt
@@ -79,6 +79,8 @@ class JSONRPCConfigTest {
#port = 18545
## Rejected IP ranges
#rejectedRanges = []
+## Server security mode: record, allowlist, ca, tofu
+#serverSecurity = "record"
## Whether the JSON-RPC server should serve data over SSL
#ssl = false
""".split("\n").joinToString(System.lineSeparator()),
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@tuweni.apache.org
For additional commands, e-mail: commits-help@tuweni.apache.org