https between components #7767
https between components #7767
Conversation
| Selenium Grid by default communicates over HTTP. This is fine for a lot | ||
| of use cases, especially if everything is contained within the firewall | ||
| and against test sites with testing data. However, if your server is | ||
| exposed to the Internet or us being used in environments with production |
| create and sign your certificates. | ||
|
|
||
| ``` | ||
| ~/go/bin/minica --domains sessions.grid.com,distributor.grid.com,router.grid.com |
There was a problem hiding this comment.
Assume commands are on the PATH already. If someone's installed minica via (eg) homebrew, the location will be different.
| -import \ | ||
| -file /path/to/minica.pem \ | ||
| -alias minica \ | ||
| -keystore /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/lib/security/cacerts \ |
| @@ -53,6 +53,18 @@ | |||
| @ConfigValue(section = "server", name = "allow-cors") | |||
| private boolean allowCORS = false; | |||
|
|
|||
| @Parameter(description = "Whether the Selenium server should communicate over https", names = "--https") | |||
There was a problem hiding this comment.
It would seem that having either --http-private-key or --http-certificate implies that the connections should be secured....
| b.group(bossGroup, workerGroup) | ||
| .channel(NioServerSocketChannel.class) | ||
| .handler(new LoggingHandler(LogLevel.INFO)) | ||
| .childHandler(new SeleniumHttpsInitializer(handler, sslCtx)); |
There was a problem hiding this comment.
Why not just modify the existing SeleniumHttpInitializer to accept a null sslCtx and have it only add the SSL handler if the value is not null?
| @Override | ||
| protected void initChannel(SocketChannel ch) { | ||
| ch.pipeline().addLast("ssl", sslCtx.newHandler(ch.alloc())); | ||
| ch.pipeline().addLast("codec", new HttpServerCodec()); |
There was a problem hiding this comment.
Is this the same as the SeleniumHttpInitializer? If so, and you're not following the suggestion from above, consider something like:
ch.pipeline().addLast("ssl", sslCtx.newHandler(ch.alloc()));
new SeleniumHttpInitializer(seleniumHandler).initChannel(ch);
to minimise the amount of duplicated code, and to highlight the relationship between the two.
| @@ -94,7 +97,7 @@ | |||
| () -> { | |||
| try { | |||
| return createRemotes(); | |||
| } catch (URISyntaxException e) { | |||
| } catch (URISyntaxException | SSLException | CertificateException e) { | |||
| @@ -121,7 +124,7 @@ public void setFields() { | |||
| this.clientFactory = (HttpClient.Factory) raw[1]; | |||
| } | |||
|
|
|||
| private static Object[] createInMemory() throws URISyntaxException, MalformedURLException { | |||
| private static Object[] createInMemory() throws URISyntaxException, MalformedURLException, SSLException, CertificateException { | |||
There was a problem hiding this comment.
At this point, throw Exception is fine. It's just a test.
|
Adam Goucher seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
| return config.get("server", "https-private-key").isPresent() && config.get("server", "https-certificate").isPresent(); | ||
| } | ||
|
|
||
| public File getPrivateKey() { |
There was a problem hiding this comment.
In a follow-up PR, we should make this a Path
| Objects.requireNonNull(options, "Server options must be set."); | ||
| Objects.requireNonNull(handler, "Handler to use must be set."); | ||
|
|
||
| Boolean secure = options.isSecure(); |
There was a problem hiding this comment.
boolean: we never expect this to be null, and the unboxing that happens on the next line will throw an NPE if that happens.
There was a problem hiding this comment.
I think the current implementation of isSecure ensures it always is Boolean.
| } | ||
|
|
||
| @Override | ||
| protected void initChannel(SocketChannel ch) { | ||
| if (sslCtx != null) { | ||
| ch.pipeline().addLast("ssl", sslCtx.newHandler(ch.alloc())); | ||
| } |
| @@ -0,0 +1,53 @@ | |||
| // Licensed to the Software Freedom Conservancy (SFC) under one | |||
| @@ -96,4 +97,24 @@ public URI getExternalUri() { | |||
| public boolean getAllowCORS() { | |||
| return config.getBool("server", "allow-cors").orElse(false); | |||
| } | |||
|
|
|||
| public boolean isSecure() { | |||
| return config.get("server", "https-private-key").isPresent() && config.get("server", "https-certificate").isPresent(); | |||
|
|
||
| private Channel channel; | ||
|
|
||
| public NettyServer(BaseServerOptions options, HttpHandler handler) { | ||
| public NettyServer(BaseServerOptions options, HttpHandler handler) | ||
| throws SSLException, CertificateException { |
There was a problem hiding this comment.
Consider wrapping the SSLException with an UncheckedIOException so that everything coming out of this is a RuntimeException. Our own code wraps and rethrows, so it's not like we're hiding much.
Merging in support to run the standalone server and/or component parts of the server as https. Default is still http due to configuration pain. Note: none of the client bindings have been updated to communicate to a https server
Alright. This is for #7662
Essentially there is a big on/off flag (--https) and then you need to provide a certificate (--https-certificate) and a key (--https-private-key). There is also an info section on how to wire it up including making yourself some certificates and how to teach Java to trust them.
Not sure how to write tests as it requires certificates, but can confirm I have locally been able to light up a browser and drive it.
This does not do the follow, each will have to be a separate item
secure zeromq which is still plain tcp
teach the client bindings about certificates (my tests were with the python ones and they just work by saying the remote_connection is https but it spits out a warning about verifying certificates on every communication over the wire)
By placing an
Xin the preceding checkbox, I verify that I have signed the Contributor License Agreement