NIFI-7913 Added getEnabledProtocols() to TlsConfiguration and updated…

… ListenSMTP to set enabled protocols on SSL Sockets NIFI-7913 Changed order of supported protocols to match existing comments in SSLContextService This closes #4599 Signed-off-by: Nathan Gough <thenatog@gmail.com>
apache · Dec 10, 2020 · 7bff64b · 7bff64b
1 parent 8e49483
commit 7bff64b
Show file tree

Hide file tree

Showing 7 changed files with 181 additions and 86 deletions.
diff --git a/...nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java b/...nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java
@@ -25,6 +25,13 @@
  * {@link javax.net.ssl.SSLContext}s.
  */
 public interface TlsConfiguration {
+    String SSL_PROTOCOL = "SSL";
+    String TLS_PROTOCOL = "TLS";
+
+    String TLS_1_0_PROTOCOL = "TLSv1";
+    String TLS_1_1_PROTOCOL = "TLSv1.1";
+    String[] LEGACY_TLS_PROTOCOL_VERSIONS = new String[]{TLS_1_0_PROTOCOL, TLS_1_1_PROTOCOL};
+
     String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.2";
     String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3";
     String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION};
@@ -157,6 +164,13 @@ static boolean isEmpty(TlsConfiguration tlsConfiguration) {
      */
     String[] getTruststorePropertiesForLogging();
 
+    /**
+     * Get Enabled TLS Protocol Versions
+     *
+     * @return Enabled TLS Protocols
+     */
+    String[] getEnabledProtocols();
+
     /**
      * Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}).
      *

diff --git a/...-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java b/...-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java
@@ -18,6 +18,9 @@
 
 import java.io.File;
 import java.net.MalformedURLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
 import org.apache.nifi.util.NiFiProperties;
 import org.apache.nifi.util.StringUtils;
@@ -432,6 +435,29 @@ public String[] getTruststorePropertiesForLogging() {
         return new String[]{getTruststorePath(), getTruststorePasswordForLogging(), getKeystoreType() != null ? getTruststoreType().getType() : NULL_LOG};
     }
 
+
+    /**
+     * Get Enabled TLS Protocols translates SSL to legacy protocols and TLS to current protocols or returns configured protocol
+     *
+     * @return Enabled TLS Protocols
+     */
+    @Override
+    public String[] getEnabledProtocols() {
+        final List<String> enabledProtocols = new ArrayList<>();
+
+        final String configuredProtocol = getProtocol();
+        if (TLS_PROTOCOL.equals(configuredProtocol)) {
+            enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
+        } else if (SSL_PROTOCOL.equals(configuredProtocol)) {
+            enabledProtocols.addAll(Arrays.asList(LEGACY_TLS_PROTOCOL_VERSIONS));
+            enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()));
+        } else if (configuredProtocol != null) {
+            enabledProtocols.add(configuredProtocol);
+        }
+
+        return enabledProtocols.toArray(new String[enabledProtocols.size()]);
+    }
+
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder("[TlsConfiguration]");

diff --git a/...y-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy b/...y-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy
@@ -209,4 +209,43 @@ class StandardTlsConfigurationTest extends GroovyTestCase {
         assert !wrongPasswordIsValid
         assert !invalidIsValid
     }
+
+    @Test
+    void testShouldReturnLegacyAndCurrentEnabledProtocolsForSsl() {
+        TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.SSL_PROTOCOL)
+
+        String[] enabledProtocols = configuration.enabledProtocols
+        assert enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
+        assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
+    }
+
+    @Test
+    void testShouldReturnCurrentEnabledProtocolsForTls() {
+        TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.TLS_PROTOCOL)
+
+        String[] enabledProtocols = configuration.enabledProtocols
+        assert !enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS)
+        assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
+    }
+
+    @Test
+    void testShouldReturnConfiguredEnabledProtocols() {
+        String currentProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()
+        TlsConfiguration configuration = getTlsConfiguration(currentProtocol)
+
+        String[] enabledProtocols = configuration.enabledProtocols
+        assert enabledProtocols == [currentProtocol]
+    }
+
+    @Test
+    void testShouldReturnEmptyEnabledProtocolsForNullProtocol() {
+        TlsConfiguration configuration = getTlsConfiguration(null)
+
+        String[] enabledProtocols = configuration.enabledProtocols
+        assert enabledProtocols.toList().isEmpty()
+    }
+
+    TlsConfiguration getTlsConfiguration(String protocol) {
+        new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, protocol)
+    }
 }
diff --git a/...ndle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java b/...ndle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java
@@ -50,6 +50,7 @@
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.processors.email.smtp.SmtpConsumer;
 import org.apache.nifi.security.util.ClientAuth;
+import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.ssl.RestrictedSSLContextService;
 import org.apache.nifi.ssl.SSLContextService;
 import org.springframework.util.StringUtils;
@@ -252,6 +253,9 @@ public SSLSocket createSSLSocket(Socket socket) throws IOException {
                 SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth));
                 SSLSocketFactory socketFactory = sslContext.getSocketFactory();
                 SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true));
+                final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration();
+                sslSocket.setEnabledProtocols(tlsConfiguration.getEnabledProtocols());
+
                 sslSocket.setUseClientMode(false);
 
                 if (ClientAuth.REQUIRED.toString().equals(clientAuth)) {

diff --git a/.../nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java b/.../nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java
@@ -16,6 +16,8 @@
  */
 package org.apache.nifi.processors.email;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 import java.util.Properties;
@@ -26,7 +28,9 @@
 import javax.mail.internet.InternetAddress;
 import javax.mail.internet.MimeMessage;
 import org.apache.nifi.remote.io.socket.NetworkUtils;
+import org.apache.nifi.reporting.InitializationException;
 import org.apache.nifi.security.util.ClientAuth;
+import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.ssl.StandardRestrictedSSLContextService;
 import org.apache.nifi.ssl.StandardSSLContextService;
@@ -35,141 +39,149 @@
 import org.junit.Test;
 
 public class TestListenSMTP {
+    private static final String SSL_SERVICE_IDENTIFIER = "ssl-context";
 
     @Test
     public void testListenSMTP() throws Exception {
-        final ListenSMTP processor = new ListenSMTP();
-        final TestRunner runner = TestRunners.newTestRunner(processor);
-
         final int port = NetworkUtils.availablePort();
-        runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
-        runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
+        final TestRunner runner = newTestRunner(port);
 
         runner.run(1, false);
+        assertPortListening(port);
 
-        assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
+        final Session session = getSession(port);
+        final int numMessages = 5;
+        for (int i = 0; i < numMessages; i++) {
+            sendMessage(session, i);
+        }
 
-        final Properties config = new Properties();
-        config.put("mail.smtp.host", "localhost");
-        config.put("mail.smtp.port", String.valueOf(port));
-        config.put("mail.smtp.connectiontimeout", "5000");
-        config.put("mail.smtp.timeout", "5000");
-        config.put("mail.smtp.writetimeout", "5000");
+        runner.shutdown();
+        runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
+    }
 
-        final Session session = Session.getInstance(config);
-        session.setDebug(true);
+    @Test
+    public void testListenSMTPwithTLSCurrentVersion() throws Exception {
+        final int port = NetworkUtils.availablePort();
+        final TestRunner runner = newTestRunner(port);
+
+        final String tlsProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion();
+        configureSslContextService(runner, tlsProtocol);
+        runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
+        runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
+        runner.assertValid();
+
+        runner.run(1, false);
+        assertPortListening(port);
+        final Session session = getSessionTls(port, tlsProtocol);
 
         final int numMessages = 5;
         for (int i = 0; i < numMessages; i++) {
-            final Message email = new MimeMessage(session);
-            email.setFrom(new InternetAddress("alice@nifi.apache.org"));
-            email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
-            email.setSubject("This is a test");
-            email.setText("MSG-" + i);
-            Transport.send(email);
+            sendMessage(session, i);
         }
 
         runner.shutdown();
         runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
     }
 
     @Test
-    public void testListenSMTPwithTLS() throws Exception {
-        final ListenSMTP processor = new ListenSMTP();
-        final TestRunner runner = TestRunners.newTestRunner(processor);
-
+    public void testListenSMTPwithTLSLegacyProtocolException() throws Exception {
         final int port = NetworkUtils.availablePort();
-        runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
-        runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
+        final TestRunner runner = newTestRunner(port);
 
-        // Setup the SSL Context
-        final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
-        runner.addControllerService("ssl-context", sslContextService);
-        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
-        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
-        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
-        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
-        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
-        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
-        runner.enableControllerService(sslContextService);
-
-        // and add the SSL context to the runner
-        runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, "ssl-context");
+        configureSslContextService(runner, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
+        runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER);
         runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name());
         runner.assertValid();
 
         runner.run(1, false);
+        assertPortListening(port);
 
-        assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
+        final Session session = getSessionTls(port, TlsConfiguration.TLS_1_0_PROTOCOL);
+        final MessagingException exception = assertThrows(MessagingException.class, () -> sendMessage(session, 0));
+        assertEquals(exception.getMessage(), "Could not convert socket to TLS");
 
-        final Properties config = new Properties();
-        config.put("mail.smtp.host", "localhost");
-        config.put("mail.smtp.port", String.valueOf(port));
-        config.put("mail.smtp.auth", "false");
-        config.put("mail.smtp.starttls.enable", "true");
-        config.put("mail.smtp.starttls.required", "true");
-        config.put("mail.smtp.ssl.trust", "*");
-        config.put("mail.smtp.connectiontimeout", "5000");
-        config.put("mail.smtp.timeout", "5000");
-        config.put("mail.smtp.writetimeout", "5000");
+        runner.shutdown();
+        runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
+    }
 
-        final Session session = Session.getInstance(config);
-        session.setDebug(true);
+    @Test
+    public void testListenSMTPwithTooLargeMessage() throws Exception {
+        final int port = NetworkUtils.availablePort();
+        final TestRunner runner = newTestRunner(port);
+        runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
 
-        final int numMessages = 5;
-        for (int i = 0; i < numMessages; i++) {
-            final Message email = new MimeMessage(session);
-            email.setFrom(new InternetAddress("alice@nifi.apache.org"));
-            email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
-            email.setSubject("This is a test");
-            email.setText("MSG-" + i);
-            Transport.send(email);
-        }
+        runner.run(1, false);
+        assertPortListening(port);
+
+        final Session session = getSession(port);
+        assertThrows(MessagingException.class, () -> sendMessage(session, 0));
 
         runner.shutdown();
-        runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages);
+        runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
     }
 
-    @Test(expected = MessagingException.class)
-    public void testListenSMTPwithTooLargeMessage() throws Exception {
+    private TestRunner newTestRunner(final int port) {
         final ListenSMTP processor = new ListenSMTP();
         final TestRunner runner = TestRunners.newTestRunner(processor);
 
-        final int port = NetworkUtils.availablePort();
         runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port));
         runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3");
-        runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B");
-
-        runner.run(1, false);
+        return runner;
+    }
 
+    private void assertPortListening(final int port) {
         assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000));
+    }
 
+    private Session getSession(final int port) {
         final Properties config = new Properties();
         config.put("mail.smtp.host", "localhost");
         config.put("mail.smtp.port", String.valueOf(port));
         config.put("mail.smtp.connectiontimeout", "5000");
         config.put("mail.smtp.timeout", "5000");
         config.put("mail.smtp.writetimeout", "5000");
-
         final Session session = Session.getInstance(config);
         session.setDebug(true);
+        return session;
+    }
 
-        MessagingException messagingException = null;
-        try {
-            final Message email = new MimeMessage(session);
-            email.setFrom(new InternetAddress("alice@nifi.apache.org"));
-            email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
-            email.setSubject("This is a test");
-            email.setText("MSG-0");
-            Transport.send(email);
-        } catch (final MessagingException e) {
-            messagingException = e;
-        }
+    private Session getSessionTls(final int port, final String tlsProtocol) {
+        final Properties config = new Properties();
+        config.put("mail.smtp.host", "localhost");
+        config.put("mail.smtp.port", String.valueOf(port));
+        config.put("mail.smtp.auth", "false");
+        config.put("mail.smtp.starttls.enable", "true");
+        config.put("mail.smtp.starttls.required", "true");
+        config.put("mail.smtp.ssl.trust", "*");
+        config.put("mail.smtp.connectiontimeout", "5000");
+        config.put("mail.smtp.timeout", "5000");
+        config.put("mail.smtp.writetimeout", "5000");
+        config.put("mail.smtp.ssl.protocols", tlsProtocol);
 
-        runner.shutdown();
-        runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0);
+        final Session session = Session.getInstance(config);
+        session.setDebug(true);
+        return session;
+    }
 
-        if (messagingException != null) throw messagingException;
+    private void sendMessage(final Session session, final int i) throws MessagingException {
+        final Message email = new MimeMessage(session);
+        email.setFrom(new InternetAddress("alice@nifi.apache.org"));
+        email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org"));
+        email.setSubject("This is a test");
+        email.setText("MSG-" + i);
+        Transport.send(email);
     }
 
+    private void configureSslContextService(final TestRunner runner, final String tlsProtocol) throws InitializationException {
+        final SSLContextService sslContextService = new StandardRestrictedSSLContextService();
+        runner.addControllerService(SSL_SERVICE_IDENTIFIER, sslContextService);
+        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks");
+        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword");
+        runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS");
+        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks");
+        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword");
+        runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS");
+        runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, tlsProtocol);
+        runner.enableControllerService(sslContextService);
+    }
 }
diff --git a/...ontext-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java b/...ontext-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
@@ -87,7 +87,7 @@ public String getSslAlgorithm() {
     static AllowableValue[] buildAlgorithmAllowableValues() {
         final Set<String> supportedProtocols = new HashSet<>();
 
-        supportedProtocols.add("TLS");
+        supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL);
 
         /*
          * Add specifically supported TLS versions