From 6f1f6aac56657098145446fce1e655fb246f19a2 Mon Sep 17 00:00:00 2001 From: Zixuan Liu Date: Tue, 26 Jul 2022 18:44:25 +0800 Subject: [PATCH] [PIP-158][improve][client] Split client TLS transport encryption from authentication (#15634) --- .../AuthenticatedProducerConsumerTest.java | 64 ++++++++++++++++++- .../client/api/TlsProducerConsumerTest.java | 45 ++++++++++++- ...reTlsProducerConsumerTestWithAuthTest.java | 64 ++++++++++++++++++- ...lsProducerConsumerTestWithoutAuthTest.java | 50 ++++++++++++++- .../pulsar/client/api/ClientBuilder.java | 40 ++++++++++++ .../pulsar/client/impl/ClientBuilderImpl.java | 30 +++++++++ .../apache/pulsar/client/impl/HttpClient.java | 16 +++-- .../client/impl/PulsarChannelInitializer.java | 5 ++ .../impl/conf/ClientConfigurationData.java | 33 +++++++++- .../NettySSLContextAutoRefreshBuilder.java | 13 +++- .../common/util/netty/SslContextTest.java | 1 + .../proxy/server/DirectProxyHandler.java | 3 + 12 files changed, 349 insertions(+), 15 deletions(-) diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java index 046b26846e2d3..4cb8e71c1ab0b 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java @@ -28,15 +28,23 @@ import java.util.HashSet; import java.util.Map; import java.util.Optional; +import java.util.Properties; import java.util.Set; import java.util.concurrent.TimeUnit; +import java.util.function.Supplier; +import javax.crypto.SecretKey; import javax.ws.rs.InternalServerErrorException; +import io.jsonwebtoken.SignatureAlgorithm; +import lombok.Cleanup; import org.apache.pulsar.broker.authentication.AuthenticationProviderBasic; import org.apache.pulsar.broker.authentication.AuthenticationProviderTls; +import org.apache.pulsar.broker.authentication.AuthenticationProviderToken; +import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils; import org.apache.pulsar.client.admin.PulsarAdmin; import org.apache.pulsar.client.admin.PulsarAdminException; import org.apache.pulsar.client.impl.auth.AuthenticationBasic; import org.apache.pulsar.client.impl.auth.AuthenticationTls; +import org.apache.pulsar.client.impl.auth.AuthenticationToken; import org.apache.pulsar.common.naming.NamespaceName; import org.apache.pulsar.common.naming.TopicName; import org.apache.pulsar.common.policies.data.AuthAction; @@ -64,6 +72,10 @@ public class AuthenticatedProducerConsumerTest extends ProducerConsumerBase { private final String BASIC_CONF_FILE_PATH = "./src/test/resources/authentication/basic/.htpasswd"; + private final SecretKey SECRET_KEY = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256); + private final String ADMIN_TOKEN = AuthTokenUtils.createToken(SECRET_KEY, "admin", Optional.empty()); + + @BeforeMethod @Override protected void setup() throws Exception { @@ -95,8 +107,15 @@ protected void setup() throws Exception { Set providers = new HashSet<>(); providers.add(AuthenticationProviderTls.class.getName()); - providers.add(AuthenticationProviderBasic.class.getName()); + System.setProperty("pulsar.auth.basic.conf", BASIC_CONF_FILE_PATH); + providers.add(AuthenticationProviderBasic.class.getName()); + + Properties properties = new Properties(); + properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(SECRET_KEY)); + conf.setProperties(properties); + providers.add(AuthenticationProviderToken.class.getName()); + conf.setAuthenticationProviders(providers); conf.setClusterName("test"); @@ -403,4 +422,47 @@ public void testDeleteAuthenticationPoliciesOfTopic() throws Exception { admin.tenants().deleteTenant("p1"); admin.clusters().deleteCluster("test"); } + + private final Authentication tlsAuth = new AuthenticationTls(TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH); + private final Authentication tokenAuth = new AuthenticationToken(ADMIN_TOKEN); + + @DataProvider + public Object[][] tlsTransportWithAuth() { + Supplier webServiceAddressTls = () -> pulsar.getWebServiceAddressTls(); + Supplier brokerServiceUrlTls = () -> pulsar.getBrokerServiceUrlTls(); + + return new Object[][]{ + // Verify TLS transport encryption with TLS authentication + {webServiceAddressTls, tlsAuth}, + {brokerServiceUrlTls, tlsAuth}, + // Verify TLS transport encryption with token authentication + {webServiceAddressTls, tokenAuth}, + {brokerServiceUrlTls, tokenAuth}, + }; + } + + @Test(dataProvider = "tlsTransportWithAuth") + public void testTlsTransportWithAnyAuth(Supplier url, Authentication auth) throws Exception { + final String topicName = "persistent://my-property/my-ns/my-topic-1"; + + internalSetup(new AuthenticationToken(ADMIN_TOKEN)); + admin.clusters().createCluster("test", ClusterData.builder().serviceUrl(pulsar.getWebServiceAddress()).build()); + admin.tenants().createTenant("my-property", + new TenantInfoImpl(Sets.newHashSet(), Sets.newHashSet("test"))); + admin.namespaces().createNamespace("my-property/my-ns", Sets.newHashSet("test")); + + @Cleanup + PulsarClient client = PulsarClient.builder().serviceUrl(url.get()) + .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH) + .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH) + .tlsKeyFilePath(TLS_CLIENT_KEY_FILE_PATH) + .tlsCertificateFilePath(TLS_CLIENT_CERT_FILE_PATH) + .authentication(auth) + .allowTlsInsecureConnection(false) + .enableTlsHostnameVerification(false) + .build(); + + @Cleanup + Producer ignored = client.newProducer().topic(topicName).create(); + } } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java index 78aafbf175629..06666d55ec45c 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java @@ -27,17 +27,16 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Supplier; - +import lombok.Cleanup; import org.apache.commons.compress.utils.IOUtils; import org.apache.pulsar.broker.service.persistent.PersistentTopic; import org.apache.pulsar.client.impl.auth.AuthenticationTls; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.testng.Assert; +import org.testng.annotations.DataProvider; import org.testng.annotations.Test; -import lombok.Cleanup; - @Test(groups = "broker-api") public class TlsProducerConsumerTest extends TlsProducerConsumerBase { private static final Logger log = LoggerFactory.getLogger(TlsProducerConsumerTest.class); @@ -252,4 +251,44 @@ private ByteArrayInputStream createByteInputStream(String filePath) throws IOExc private ByteArrayInputStream getStream(AtomicInteger index, ByteArrayInputStream... streams) { return streams[index.intValue()]; } + + private final Authentication tlsAuth = new AuthenticationTls(TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH); + + @DataProvider + public Object[] tlsTransport() { + Supplier webServiceAddressTls = () -> pulsar.getWebServiceAddressTls(); + Supplier brokerServiceUrlTls = () -> pulsar.getBrokerServiceUrlTls(); + + return new Object[][]{ + // Set TLS transport directly. + {webServiceAddressTls, null}, + {brokerServiceUrlTls, null}, + // Using TLS authentication data to set up TLS transport. + {webServiceAddressTls, tlsAuth}, + {brokerServiceUrlTls, tlsAuth}, + }; + } + + @Test(dataProvider = "tlsTransport") + public void testTlsTransport(Supplier url, Authentication auth) throws Exception { + final String topicName = "persistent://my-property/my-ns/my-topic-1"; + + internalSetUpForNamespace(); + + ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(url.get()) + .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH) + .allowTlsInsecureConnection(false) + .enableTlsHostnameVerification(false) + .authentication(auth); + + if (auth == null) { + clientBuilder.tlsKeyFilePath(TLS_CLIENT_KEY_FILE_PATH).tlsCertificateFilePath(TLS_CLIENT_CERT_FILE_PATH); + } + + @Cleanup + PulsarClient client = clientBuilder.build(); + + @Cleanup + Producer ignored = client.newProducer().topic(topicName).create(); + } } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java index 18041d1a928ca..3b65806515001 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java @@ -19,18 +19,25 @@ package org.apache.pulsar.client.impl; import static org.mockito.Mockito.spy; - import com.google.common.collect.Sets; import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Optional; +import java.util.Properties; import java.util.Set; import java.util.concurrent.TimeUnit; +import java.util.function.Supplier; + +import io.jsonwebtoken.SignatureAlgorithm; +import lombok.Cleanup; import lombok.extern.slf4j.Slf4j; import org.apache.pulsar.broker.authentication.AuthenticationProviderTls; +import org.apache.pulsar.broker.authentication.AuthenticationProviderToken; +import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils; import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Authentication; import org.apache.pulsar.client.api.ClientBuilder; import org.apache.pulsar.client.api.Consumer; import org.apache.pulsar.client.api.Message; @@ -39,17 +46,23 @@ import org.apache.pulsar.client.api.PulsarClient; import org.apache.pulsar.client.api.SubscriptionType; import org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls; +import org.apache.pulsar.client.impl.auth.AuthenticationToken; import org.apache.pulsar.common.policies.data.ClusterData; import org.apache.pulsar.common.policies.data.TenantInfoImpl; import org.testng.Assert; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeMethod; +import org.testng.annotations.DataProvider; import org.testng.annotations.Test; +import javax.crypto.SecretKey; + // TLS authentication and authorization based on KeyStore type config. @Slf4j @Test(groups = "broker-impl") public class KeyStoreTlsProducerConsumerTestWithAuthTest extends ProducerConsumerBase { + private final SecretKey SECRET_KEY = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256); + private final String CLIENTUSER_TOKEN = AuthTokenUtils.createToken(SECRET_KEY, "clientuser", Optional.empty()); private final String clusterName = "use"; @@ -92,6 +105,13 @@ protected void internalSetUpForBroker() { conf.setAuthorizationEnabled(true); Set providers = new HashSet<>(); providers.add(AuthenticationProviderTls.class.getName()); + + Properties properties = new Properties(); + properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(SECRET_KEY)); + conf.setProperties(properties); + + providers.add(AuthenticationProviderToken.class.getName()); + conf.setAuthenticationProviders(providers); conf.setNumExecutorThreadPoolSize(5); } @@ -255,4 +275,46 @@ public void testTlsClientAuthOverHTTPProtocol() throws Exception { .subscribe(); } + private final Authentication tlsAuth = + new AuthenticationKeyStoreTls(KEYSTORE_TYPE, CLIENT_KEYSTORE_FILE_PATH, CLIENT_KEYSTORE_PW); + private final Authentication tokenAuth = new AuthenticationToken(CLIENTUSER_TOKEN); + + @DataProvider + public Object[][] keyStoreTlsTransportWithAuth() { + Supplier webServiceAddressTls = () -> pulsar.getWebServiceAddressTls(); + Supplier brokerServiceUrlTls = () -> pulsar.getBrokerServiceUrlTls(); + + return new Object[][]{ + // Verify JKS TLS transport encryption with TLS authentication + {webServiceAddressTls, tlsAuth}, + {brokerServiceUrlTls, tlsAuth}, + // Verify JKS TLS transport encryption with token authentication + {webServiceAddressTls, tokenAuth}, + {brokerServiceUrlTls, tokenAuth}, + }; + } + + @Test(dataProvider = "keyStoreTlsTransportWithAuth") + public void testKeyStoreTlsTransportWithAuth(Supplier url, Authentication auth) throws Exception { + final String topicName = "persistent://my-property/my-ns/my-topic-1"; + + internalSetUpForNamespace(); + + @Cleanup + PulsarClient client = PulsarClient.builder().serviceUrl(url.get()) + .useKeyStoreTls(true) + .tlsTrustStoreType(KEYSTORE_TYPE) + .tlsTrustStorePath(BROKER_TRUSTSTORE_FILE_PATH) + .tlsTrustStorePassword(BROKER_TRUSTSTORE_PW) + .tlsKeyStoreType(KEYSTORE_TYPE) + .tlsKeyStorePath(CLIENT_KEYSTORE_FILE_PATH) + .tlsKeyStorePassword(CLIENT_KEYSTORE_PW) + .authentication(auth) + .allowTlsInsecureConnection(false) + .enableTlsHostnameVerification(false) + .build(); + + @Cleanup + Producer ignored = client.newProducer().topic(topicName).create(); + } } diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java index d0bdf54dc6339..a4b6ef599b58d 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java @@ -19,7 +19,6 @@ package org.apache.pulsar.client.impl; import static org.mockito.Mockito.spy; - import com.google.common.collect.Sets; import java.util.Arrays; import java.util.HashMap; @@ -27,8 +26,11 @@ import java.util.Optional; import java.util.Set; import java.util.concurrent.TimeUnit; +import java.util.function.Supplier; +import lombok.Cleanup; import lombok.extern.slf4j.Slf4j; import org.apache.pulsar.client.admin.PulsarAdmin; +import org.apache.pulsar.client.api.Authentication; import org.apache.pulsar.client.api.ClientBuilder; import org.apache.pulsar.client.api.Consumer; import org.apache.pulsar.client.api.Message; @@ -42,6 +44,7 @@ import org.testng.Assert; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeMethod; +import org.testng.annotations.DataProvider; import org.testng.annotations.Test; // TLS test without authentication and authorization based on KeyStore type config. @@ -241,4 +244,49 @@ public void testTlsClientAuthOverHTTPProtocol() throws Exception { } } + private final Authentication tlsAuth = + new AuthenticationKeyStoreTls(KEYSTORE_TYPE, CLIENT_KEYSTORE_FILE_PATH, CLIENT_KEYSTORE_PW); + + @DataProvider + public Object[][] keyStoreTlsTransport() { + Supplier webServiceAddressTls = () -> pulsar.getWebServiceAddressTls(); + Supplier brokerServiceUrlTls = () -> pulsar.getBrokerServiceUrlTls(); + + return new Object[][]{ + // Set TLS transport directly. + {webServiceAddressTls, null}, + {brokerServiceUrlTls, null}, + // Using TLS authentication data to set up TLS transport. + {webServiceAddressTls, tlsAuth}, + {brokerServiceUrlTls, tlsAuth}, + }; + } + + @Test(dataProvider = "keyStoreTlsTransport") + public void testKeyStoreTlsTransport(Supplier url, Authentication auth) throws Exception { + final String topicName = "persistent://my-property/my-ns/my-topic-1"; + + internalSetUpForNamespace(); + + ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(url.get()) + .useKeyStoreTls(true) + .tlsTrustStoreType(KEYSTORE_TYPE) + .tlsTrustStorePath(BROKER_TRUSTSTORE_FILE_PATH) + .tlsTrustStorePassword(BROKER_TRUSTSTORE_PW) + .allowTlsInsecureConnection(false) + .enableTlsHostnameVerification(false) + .authentication(auth); + + if (auth == null) { + clientBuilder.tlsKeyStoreType(KEYSTORE_TYPE) + .tlsKeyStorePath(CLIENT_KEYSTORE_FILE_PATH) + .tlsKeyStorePassword(CLIENT_KEYSTORE_PW); + } + + @Cleanup + PulsarClient client = clientBuilder.build(); + + @Cleanup + Producer ignored = client.newProducer().topic(topicName).create(); + } } diff --git a/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java b/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java index 49d79ecdaf6cd..037b1966ba5c8 100644 --- a/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java +++ b/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java @@ -294,6 +294,22 @@ ClientBuilder authentication(String authPluginClassName, Map aut @Deprecated ClientBuilder enableTls(boolean enableTls); + /** + * Set the path to the TLS key file. + * + * @param tlsKeyFilePath + * @return the client builder instance + */ + ClientBuilder tlsKeyFilePath(String tlsKeyFilePath); + + /** + * Set the path to the TLS certificate file. + * + * @param tlsCertificateFilePath + * @return the client builder instance + */ + ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath); + /** * Set the path to the trusted TLS certificate file. * @@ -340,6 +356,30 @@ ClientBuilder authentication(String authPluginClassName, Map aut */ ClientBuilder sslProvider(String sslProvider); + /** + * The file format of the key store file. + * + * @param tlsKeyStoreType + * @return the client builder instance + */ + ClientBuilder tlsKeyStoreType(String tlsKeyStoreType); + + /** + * The location of the key store file. + * + * @param tlsTrustStorePath + * @return the client builder instance + */ + ClientBuilder tlsKeyStorePath(String tlsTrustStorePath); + + /** + * The store password for the key store file. + * + * @param tlsKeyStorePassword + * @return the client builder instance + */ + ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword); + /** * The file format of the trust store file. * diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientBuilderImpl.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientBuilderImpl.java index 46befaf6eb9cd..93fe3bf55ed56 100644 --- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientBuilderImpl.java +++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientBuilderImpl.java @@ -174,6 +174,18 @@ public ClientBuilder enableTls(boolean useTls) { return this; } + @Override + public ClientBuilder tlsKeyFilePath(String tlsKeyFilePath) { + conf.setTlsKeyFilePath(tlsKeyFilePath); + return this; + } + + @Override + public ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath) { + conf.setTlsCertificateFilePath(tlsCertificateFilePath); + return this; + } + @Override public ClientBuilder enableTlsHostnameVerification(boolean enableTlsHostnameVerification) { conf.setTlsHostnameVerificationEnable(enableTlsHostnameVerification); @@ -204,6 +216,24 @@ public ClientBuilder sslProvider(String sslProvider) { return this; } + @Override + public ClientBuilder tlsKeyStoreType(String tlsKeyStoreType) { + conf.setTlsKeyStoreType(tlsKeyStoreType); + return this; + } + + @Override + public ClientBuilder tlsKeyStorePath(String tlsTrustStorePath) { + conf.setTlsKeyStorePath(tlsTrustStorePath); + return this; + } + + @Override + public ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword) { + conf.setTlsKeyStorePassword(tlsKeyStorePassword); + return this; + } + @Override public ClientBuilder tlsTrustStoreType(String tlsTrustStoreType) { conf.setTlsTrustStoreType(tlsTrustStoreType); diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java index 61d0c2bd64ecc..5d22a9bef1ff9 100644 --- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java +++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java @@ -95,13 +95,15 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest, if (conf.isUseKeyStoreTls()) { SSLContext sslCtx = null; - KeyStoreParams params = authData.hasDataForTls() ? authData.getTlsKeyStoreParams() : null; + KeyStoreParams params = authData.hasDataForTls() ? authData.getTlsKeyStoreParams() : + new KeyStoreParams(conf.getTlsKeyStoreType(), conf.getTlsKeyStorePath(), + conf.getTlsKeyStorePassword()); sslCtx = KeyStoreSSLContext.createClientSslContext( conf.getSslProvider(), - params != null ? params.getKeyStoreType() : null, - params != null ? params.getKeyStorePath() : null, - params != null ? params.getKeyStorePassword() : null, + params.getKeyStoreType(), + params.getKeyStorePath(), + params.getKeyStorePassword(), conf.isTlsAllowInsecureConnection(), conf.getTlsTrustStoreType(), conf.getTlsTrustStorePath(), @@ -131,7 +133,11 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest, sslCtx = SecurityUtility.createNettySslContextForClient( sslProvider, conf.isTlsAllowInsecureConnection(), - conf.getTlsTrustCertsFilePath(), conf.getTlsCiphers(), conf.getTlsProtocols()); + conf.getTlsTrustCertsFilePath(), + conf.getTlsCertificateFilePath(), + conf.getTlsKeyFilePath(), + conf.getTlsCiphers(), + conf.getTlsProtocols()); } confBuilder.setSslContext(sslCtx); } diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java index ffe1daab2d5a0..b046d1030eda5 100644 --- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java +++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java @@ -88,6 +88,9 @@ public PulsarChannelInitializer(ClientConfigurationData conf, Supplier ciphers, Set protocols, long certRefreshInSec, @@ -100,6 +103,10 @@ public NettySSLContextAutoRefreshBuilder(String sslProviderString, this.authData = authData; + this.tlsKeyStoreType = keyStoreTypeString; + this.tlsKeyStore = new FileModifiedTimeUpdater(keyStore); + this.tlsKeyStorePassword = keyStorePassword; + this.tlsTrustStoreType = trustStoreTypeString; this.tlsTrustStore = new FileModifiedTimeUpdater(trustStore); this.tlsTrustStorePassword = trustStorePassword; @@ -121,9 +128,9 @@ public synchronized KeyStoreSSLContext update() throws GeneralSecurityException, } else { KeyStoreParams authParams = authData.getTlsKeyStoreParams(); this.keyStoreSSLContext = KeyStoreSSLContext.createClientKeyStoreSslContext(tlsProvider, - authParams != null ? authParams.getKeyStoreType() : null, - authParams != null ? authParams.getKeyStorePath() : null, - authParams != null ? authParams.getKeyStorePassword() : null, + authParams != null ? authParams.getKeyStoreType() : tlsKeyStoreType, + authParams != null ? authParams.getKeyStorePath() : tlsKeyStore.getFileName(), + authParams != null ? authParams.getKeyStorePassword() : tlsKeyStorePassword, tlsAllowInsecureConnection, tlsTrustStoreType, tlsTrustStore.getFileName(), tlsTrustStorePassword, tlsCiphers, tlsProtocols); diff --git a/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java b/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java index fb035d66a76cf..e66bbbc17a287 100644 --- a/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java +++ b/pulsar-common/src/test/java/org/apache/pulsar/common/util/netty/SslContextTest.java @@ -107,6 +107,7 @@ public void testClientKeyStoreSSLContext(Set cipher) throws Exception { null, false, keyStoreType, brokerTrustStorePath, keyStorePassword, + null, null, null, cipher, null, 0, new ClientAuthenticationData()); contextAutoRefreshBuilder.update(); } diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java index 6494e47484c9e..2f067282115d3 100644 --- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java +++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java @@ -128,6 +128,9 @@ public DirectProxyHandler(ProxyService service, ProxyConnection proxyConnection) config.getBrokerClientTlsTrustStoreType(), config.getBrokerClientTlsTrustStore(), config.getBrokerClientTlsTrustStorePassword(), + null, + null, + null, config.getBrokerClientTlsCiphers(), config.getBrokerClientTlsProtocols(), config.getTlsCertRefreshCheckDurationSec(),