Enable TLS Client Authentication on WebSocketProxy and DiscoveryServi…

…ce (apache#535)
teazj · Jun 30, 2017 · b86f7bb · b86f7bb
1 parent 1994f4f
commit b86f7bb
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 5 deletions.
diff --git a/...-service/src/main/java/org/apache/pulsar/discovery/service/ServiceChannelInitializer.java b/...-service/src/main/java/org/apache/pulsar/discovery/service/ServiceChannelInitializer.java
@@ -55,8 +55,17 @@ protected void initChannel(SocketChannel ch) throws Exception {
             File tlsCert = new File(serviceConfig.getTlsCertificateFilePath());
             File tlsKey = new File(serviceConfig.getTlsKeyFilePath());
             SslContextBuilder builder = SslContextBuilder.forServer(tlsCert, tlsKey);
-            // allows insecure connection
-            builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+            if (serviceConfig.isTlsAllowInsecureConnection()) {
+                builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+            } else {
+                if (serviceConfig.getTlsTrustCertsFilePath().isEmpty()) {
+                    // Use system default
+                    builder.trustManager((File) null);
+                } else {
+                    File trustCertCollection = new File(serviceConfig.getTlsTrustCertsFilePath());
+                    builder.trustManager(trustCertCollection);
+                }
+            }
             SslContext sslCtx = builder.clientAuth(ClientAuth.OPTIONAL).build();
             ch.pipeline().addLast(TLS_HANDLER, sslCtx.newHandler(ch.alloc()));
         }

diff --git a/...overy-service/src/main/java/org/apache/pulsar/discovery/service/server/ServerManager.java b/...overy-service/src/main/java/org/apache/pulsar/discovery/service/server/ServerManager.java
@@ -73,14 +73,14 @@ public ServerManager(ServiceConfig config) {
         if (config.isTlsEnabled()) {
             SslContextFactory sslCtxFactory = new SslContextFactory();
             try {
-                SSLContext sslCtx = SecurityUtility.createSslContext(false, null, config.getTlsCertificateFilePath(),
+                SSLContext sslCtx = SecurityUtility.createSslContext(config.isTlsAllowInsecureConnection(), config.getTlsTrustCertsFilePath(), config.getTlsCertificateFilePath(),
                         config.getTlsKeyFilePath());
                 sslCtxFactory.setSslContext(sslCtx);
             } catch (GeneralSecurityException e) {
                 throw new RestException(e);
             }
 
-            sslCtxFactory.setWantClientAuth(false);
+            sslCtxFactory.setWantClientAuth(true);
             ServerConnector tlsConnector = new ServerConnector(server, 1, 1, sslCtxFactory);
             tlsConnector.setPort(config.getWebServicePortTls());
             connectors.add(tlsConnector);

diff --git a/...overy-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java b/...overy-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java
@@ -70,6 +70,10 @@ public class ServiceConfig implements PulsarConfiguration {
     private String tlsCertificateFilePath;
     // Path for the TLS private key file
     private String tlsKeyFilePath;
+    // Path for the trusted TLS certificate file
+    private String tlsTrustCertsFilePath = "";
+    // Accept untrusted TLS certificate from client
+    private boolean tlsAllowInsecureConnection = false;
 
     private Properties properties = new Properties();
 
@@ -153,6 +157,22 @@ public void setTlsKeyFilePath(String tlsKeyFilePath) {
         this.tlsKeyFilePath = tlsKeyFilePath;
     }
 
+    public String getTlsTrustCertsFilePath() {
+        return tlsTrustCertsFilePath;
+    }
+
+    public void setTlsTrustCertsFilePath(String tlsTrustCertsFilePath) {
+        this.tlsTrustCertsFilePath = tlsTrustCertsFilePath;
+    }
+
+    public boolean isTlsAllowInsecureConnection() {
+        return tlsAllowInsecureConnection;
+    }
+
+    public void setTlsAllowInsecureConnection(boolean tlsAllowInsecureConnection) {
+        this.tlsAllowInsecureConnection = tlsAllowInsecureConnection;
+    }
+
     public boolean isBindOnLocalhost() {
         return bindOnLocalhost;
     }

diff --git a/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/ProxyServer.java b/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/ProxyServer.java
@@ -82,7 +82,7 @@ public ProxyServer(WebSocketProxyConfiguration config)
         if (config.isTlsEnabled()) {
             SslContextFactory sslCtxFactory = new SslContextFactory(true);
             try {
-                SSLContext sslCtx = SecurityUtility.createSslContext(false, null, config.getTlsCertificateFilePath(),
+                SSLContext sslCtx = SecurityUtility.createSslContext(false, config.getTlsTrustCertsFilePath(), config.getTlsCertificateFilePath(),
                         config.getTlsKeyFilePath());
                 sslCtxFactory.setSslContext(sslCtx);