diff --git a/nifi-api/src/main/java/org/apache/nifi/action/Action.java b/nifi-api/src/main/java/org/apache/nifi/action/Action.java index ed6505fcd9d0..44c28a66aa67 100644 --- a/nifi-api/src/main/java/org/apache/nifi/action/Action.java +++ b/nifi-api/src/main/java/org/apache/nifi/action/Action.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.action; -import org.apache.nifi.action.component.details.ComponentDetails; -import org.apache.nifi.action.details.ActionDetails; - import java.io.Serializable; import java.util.Date; +import org.apache.nifi.action.component.details.ComponentDetails; +import org.apache.nifi.action.details.ActionDetails; /** * An action taken on the flow by a user. diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicProperty.java b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicProperty.java index aa522268fb9e..f73ce4515660 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicProperty.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicProperty.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.components.ConfigurableComponent; import org.apache.nifi.expression.ExpressionLanguageScope; diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicRelationship.java b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicRelationship.java index 68d40c7fb022..006f6adba8af 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicRelationship.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/DynamicRelationship.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.processor.Processor; import org.apache.nifi.processor.Relationship; diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restriction.java b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restriction.java index 2a07108eecfe..1490880acb0b 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restriction.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Restriction.java @@ -16,14 +16,13 @@ */ package org.apache.nifi.annotation.behavior; -import org.apache.nifi.components.RequiredPermission; - import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Inherited; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import org.apache.nifi.components.RequiredPermission; /** * Specific restriction for a component. Indicates what the required permission is and why the restriction exists. diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Stateful.java b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Stateful.java index de32bd7d74c6..0e224747ff5a 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Stateful.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/behavior/Stateful.java @@ -23,7 +23,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.components.state.Scope; import org.apache.nifi.components.state.StateManager; diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSchedule.java b/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSchedule.java index 8635a74513c8..7d08d77ae14b 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSchedule.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSchedule.java @@ -17,14 +17,13 @@ package org.apache.nifi.annotation.configuration; -import org.apache.nifi.scheduling.SchedulingStrategy; - import java.lang.annotation.Documented; -import java.lang.annotation.Target; -import java.lang.annotation.Retention; import java.lang.annotation.ElementType; -import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; +import org.apache.nifi.scheduling.SchedulingStrategy; /** *

diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSettings.java b/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSettings.java index d01972c8c724..09402c7bad83 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSettings.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/configuration/DefaultSettings.java @@ -18,11 +18,11 @@ package org.apache.nifi.annotation.configuration; import java.lang.annotation.Documented; -import java.lang.annotation.Target; -import java.lang.annotation.Retention; import java.lang.annotation.ElementType; -import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Inherited; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; import org.apache.nifi.logging.LogLevel; /** diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/DeprecationNotice.java b/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/DeprecationNotice.java index f9d47dda5e01..e3858438abe2 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/DeprecationNotice.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/DeprecationNotice.java @@ -16,14 +16,13 @@ */ package org.apache.nifi.annotation.documentation; -import org.apache.nifi.components.ConfigurableComponent; - import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Inherited; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import org.apache.nifi.components.ConfigurableComponent; /** * Annotation that can be applied to a {@link org.apache.nifi.processor.Processor Processor}, diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/SeeAlso.java b/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/SeeAlso.java index f89e25b11009..43937759ad08 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/SeeAlso.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/documentation/SeeAlso.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.components.ConfigurableComponent; /** diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnDisabled.java b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnDisabled.java index f8ca0381e2dc..d4044a1f9010 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnDisabled.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnDisabled.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.controller.ConfigurationContext; /** diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnRemoved.java b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnRemoved.java index 54817e4f4b2f..1dfac3df0b48 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnRemoved.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnRemoved.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.ProcessContext; diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnShutdown.java b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnShutdown.java index 44098ff2bc53..905618aadb6d 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnShutdown.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnShutdown.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.ProcessContext; diff --git a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnStopped.java b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnStopped.java index cdec8d0e727d..647c2ec7baea 100644 --- a/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnStopped.java +++ b/nifi-api/src/main/java/org/apache/nifi/annotation/lifecycle/OnStopped.java @@ -22,7 +22,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.ProcessContext; diff --git a/nifi-api/src/main/java/org/apache/nifi/components/ConfigurableComponent.java b/nifi-api/src/main/java/org/apache/nifi/components/ConfigurableComponent.java index 2f693dac3783..4c5537eb6c14 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/ConfigurableComponent.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/ConfigurableComponent.java @@ -18,7 +18,6 @@ import java.util.Collection; import java.util.List; - import org.apache.nifi.annotation.lifecycle.OnConfigurationRestored; public interface ConfigurableComponent { diff --git a/nifi-api/src/main/java/org/apache/nifi/components/PropertyDescriptor.java b/nifi-api/src/main/java/org/apache/nifi/components/PropertyDescriptor.java index e39b75d9495e..0e23510cd8fe 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/PropertyDescriptor.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/PropertyDescriptor.java @@ -22,7 +22,6 @@ import java.util.Collections; import java.util.List; import java.util.Set; - import org.apache.nifi.controller.ControllerService; import org.apache.nifi.expression.ExpressionLanguageScope; diff --git a/nifi-api/src/main/java/org/apache/nifi/components/PropertyValue.java b/nifi-api/src/main/java/org/apache/nifi/components/PropertyValue.java index 05f262fcf601..edafaeee6549 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/PropertyValue.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/PropertyValue.java @@ -18,7 +18,6 @@ import java.util.Map; import java.util.concurrent.TimeUnit; - import org.apache.nifi.controller.ControllerService; import org.apache.nifi.expression.AttributeValueDecorator; import org.apache.nifi.flowfile.FlowFile; @@ -277,7 +276,7 @@ public interface PropertyValue { * @throws ProcessException if the Expression cannot be compiled or evaluating * the Expression against the given attributes causes an Exception to be thrown */ - public PropertyValue evaluateAttributeExpressions(FlowFile flowFile, Map additionalAttributes, AttributeValueDecorator decorator, Map stateValues) + PropertyValue evaluateAttributeExpressions(FlowFile flowFile, Map additionalAttributes, AttributeValueDecorator decorator, Map stateValues) throws ProcessException; /** diff --git a/nifi-api/src/main/java/org/apache/nifi/components/ValidationContext.java b/nifi-api/src/main/java/org/apache/nifi/components/ValidationContext.java index acaffd7c034d..56f566e9d7c0 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/ValidationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/ValidationContext.java @@ -16,14 +16,13 @@ */ package org.apache.nifi.components; +import java.util.Collection; +import java.util.Map; import org.apache.nifi.context.PropertyContext; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.expression.ExpressionLanguageCompiler; -import java.util.Collection; -import java.util.Map; - public interface ValidationContext extends PropertyContext { /** diff --git a/nifi-api/src/main/java/org/apache/nifi/components/state/StateManager.java b/nifi-api/src/main/java/org/apache/nifi/components/state/StateManager.java index 768f77317bcf..1669ea1bbd94 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/state/StateManager.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/state/StateManager.java @@ -19,7 +19,6 @@ import java.io.IOException; import java.util.Map; - import org.apache.nifi.annotation.behavior.Stateful; import org.apache.nifi.components.state.exception.StateTooLargeException; diff --git a/nifi-api/src/main/java/org/apache/nifi/components/state/exception/StateTooLargeException.java b/nifi-api/src/main/java/org/apache/nifi/components/state/exception/StateTooLargeException.java index 5461b40b306f..41c8b248ec4a 100644 --- a/nifi-api/src/main/java/org/apache/nifi/components/state/exception/StateTooLargeException.java +++ b/nifi-api/src/main/java/org/apache/nifi/components/state/exception/StateTooLargeException.java @@ -17,9 +17,8 @@ package org.apache.nifi.components.state.exception; -import org.apache.nifi.components.state.StateManager; - import java.io.IOException; +import org.apache.nifi.components.state.StateManager; /** * Thrown when attempting to store state via the {@link StateManager} but the state being diff --git a/nifi-api/src/main/java/org/apache/nifi/context/PropertyContext.java b/nifi-api/src/main/java/org/apache/nifi/context/PropertyContext.java index 2771927b480e..5b22a192e92e 100644 --- a/nifi-api/src/main/java/org/apache/nifi/context/PropertyContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/context/PropertyContext.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.context; +import java.util.Map; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; -import java.util.Map; - /** * A context for retrieving a PropertyValue from a PropertyDescriptor. */ diff --git a/nifi-api/src/main/java/org/apache/nifi/controller/ConfigurationContext.java b/nifi-api/src/main/java/org/apache/nifi/controller/ConfigurationContext.java index c1316b5536c5..f4a602a9a8f8 100644 --- a/nifi-api/src/main/java/org/apache/nifi/controller/ConfigurationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/controller/ConfigurationContext.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.controller; -import org.apache.nifi.components.PropertyDescriptor; -import org.apache.nifi.context.PropertyContext; - import java.util.Map; import java.util.concurrent.TimeUnit; +import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.context.PropertyContext; /** * This context is passed to ControllerServices and Reporting Tasks in order diff --git a/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessGroupStatus.java b/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessGroupStatus.java index f9433d77e7d1..758a059802fe 100644 --- a/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessGroupStatus.java +++ b/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessGroupStatus.java @@ -16,12 +16,11 @@ */ package org.apache.nifi.controller.status; -import org.apache.nifi.registry.flow.VersionedFlowState; - import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Map; +import org.apache.nifi.registry.flow.VersionedFlowState; /** */ diff --git a/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessorStatus.java b/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessorStatus.java index 93a6d87f0942..ba90534239c6 100644 --- a/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessorStatus.java +++ b/nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessorStatus.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.controller.status; -import org.apache.nifi.scheduling.ExecutionNode; - import java.util.HashMap; import java.util.Map; import java.util.concurrent.TimeUnit; +import org.apache.nifi.scheduling.ExecutionNode; /** */ diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/AbstractDocumentationWriter.java b/nifi-api/src/main/java/org/apache/nifi/documentation/AbstractDocumentationWriter.java index d3c64d4b556a..2c24f5c0587d 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/AbstractDocumentationWriter.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/AbstractDocumentationWriter.java @@ -16,6 +16,14 @@ */ package org.apache.nifi.documentation; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Map; +import java.util.Set; import org.apache.nifi.annotation.behavior.DynamicProperties; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.DynamicRelationship; @@ -42,15 +50,6 @@ import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.reporting.ReportingTask; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import java.util.Set; - /** * Base class for DocumentationWriter that simplifies iterating over all information for a component, creating a separate method * for each, to ensure that implementations properly override all methods and therefore properly account for all information about diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/ExtensionDocumentationWriter.java b/nifi-api/src/main/java/org/apache/nifi/documentation/ExtensionDocumentationWriter.java index f4b249201dde..7681c0984b4c 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/ExtensionDocumentationWriter.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/ExtensionDocumentationWriter.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.documentation; -import org.apache.nifi.components.ConfigurableComponent; - import java.io.IOException; import java.util.Collection; import java.util.Map; +import org.apache.nifi.components.ConfigurableComponent; /** * Generates documentation for an instance of a ConfigurableComponent. diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationControllerServiceInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationControllerServiceInitializationContext.java index 68637aaa1a23..cb8a0f234561 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationControllerServiceInitializationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationControllerServiceInitializationContext.java @@ -16,15 +16,14 @@ */ package org.apache.nifi.documentation.init; +import java.io.File; +import java.util.UUID; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.controller.ControllerServiceInitializationContext; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; import org.apache.nifi.logging.ComponentLog; -import java.io.File; -import java.util.UUID; - public class DocumentationControllerServiceInitializationContext implements ControllerServiceInitializationContext { private final String id = UUID.randomUUID().toString(); private final ControllerServiceLookup serviceLookup = new EmptyControllerServiceLookup(); diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationProcessorInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationProcessorInitializationContext.java index c7a5e406643e..a48dcb63825b 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationProcessorInitializationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationProcessorInitializationContext.java @@ -16,14 +16,13 @@ */ package org.apache.nifi.documentation.init; +import java.io.File; +import java.util.UUID; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.ProcessorInitializationContext; -import java.io.File; -import java.util.UUID; - public class DocumentationProcessorInitializationContext implements ProcessorInitializationContext { private final String uuid = UUID.randomUUID().toString(); private final NodeTypeProvider nodeTypeProvider = new StandaloneNodeTypeProvider(); diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationReportingInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationReportingInitializationContext.java index 4697ee8d4c68..bcf216eb65b9 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationReportingInitializationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/init/DocumentationReportingInitializationContext.java @@ -16,16 +16,15 @@ */ package org.apache.nifi.documentation.init; +import java.io.File; +import java.util.UUID; +import java.util.concurrent.TimeUnit; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.reporting.ReportingInitializationContext; import org.apache.nifi.scheduling.SchedulingStrategy; -import java.io.File; -import java.util.UUID; -import java.util.concurrent.TimeUnit; - public class DocumentationReportingInitializationContext implements ReportingInitializationContext { private final String id = UUID.randomUUID().toString(); private final ComponentLog componentLog = new NopComponentLog(); diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/init/EmptyControllerServiceLookup.java b/nifi-api/src/main/java/org/apache/nifi/documentation/init/EmptyControllerServiceLookup.java index 4831198d078e..5cda2af77614 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/init/EmptyControllerServiceLookup.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/init/EmptyControllerServiceLookup.java @@ -16,11 +16,10 @@ */ package org.apache.nifi.documentation.init; +import java.util.Set; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceLookup; -import java.util.Set; - public class EmptyControllerServiceLookup implements ControllerServiceLookup { @Override public ControllerService getControllerService(final String serviceIdentifier) { diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/init/NopStateManager.java b/nifi-api/src/main/java/org/apache/nifi/documentation/init/NopStateManager.java index 5e2c9557c8fd..4b4e21e8da5c 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/init/NopStateManager.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/init/NopStateManager.java @@ -16,12 +16,11 @@ */ package org.apache.nifi.documentation.init; +import java.util.Map; import org.apache.nifi.components.state.Scope; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.components.state.StateMap; -import java.util.Map; - public class NopStateManager implements StateManager { @Override public void setState(final Map state, final Scope scope) { diff --git a/nifi-api/src/main/java/org/apache/nifi/documentation/xml/XmlDocumentationWriter.java b/nifi-api/src/main/java/org/apache/nifi/documentation/xml/XmlDocumentationWriter.java index 59813a2a7b10..01c0bdc8dc01 100644 --- a/nifi-api/src/main/java/org/apache/nifi/documentation/xml/XmlDocumentationWriter.java +++ b/nifi-api/src/main/java/org/apache/nifi/documentation/xml/XmlDocumentationWriter.java @@ -16,6 +16,19 @@ */ package org.apache.nifi.documentation.xml; +import java.io.IOException; +import java.io.OutputStream; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.function.Function; +import javax.xml.stream.XMLOutputFactory; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamWriter; import org.apache.nifi.annotation.behavior.DynamicProperty; import org.apache.nifi.annotation.behavior.DynamicRelationship; import org.apache.nifi.annotation.behavior.InputRequirement; @@ -36,20 +49,6 @@ import org.apache.nifi.documentation.ServiceAPI; import org.apache.nifi.processor.Relationship; -import javax.xml.stream.XMLOutputFactory; -import javax.xml.stream.XMLStreamException; -import javax.xml.stream.XMLStreamWriter; -import java.io.IOException; -import java.io.OutputStream; -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.function.Function; - /** * XML-based implementation of DocumentationWriter * @@ -423,7 +422,7 @@ private void writeStartElement(final String elementName) throws IOException { private void writeEndElement() throws IOException { try { - writer.writeEndElement();; + writer.writeEndElement(); } catch (final XMLStreamException e) { throw new IOException(e); } diff --git a/nifi-api/src/main/java/org/apache/nifi/processor/AbstractSessionFactoryProcessor.java b/nifi-api/src/main/java/org/apache/nifi/processor/AbstractSessionFactoryProcessor.java index 029f459bbb00..2394805b735f 100644 --- a/nifi-api/src/main/java/org/apache/nifi/processor/AbstractSessionFactoryProcessor.java +++ b/nifi-api/src/main/java/org/apache/nifi/processor/AbstractSessionFactoryProcessor.java @@ -18,7 +18,6 @@ import java.util.Collections; import java.util.Set; - import org.apache.nifi.annotation.lifecycle.OnConfigurationRestored; import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.annotation.lifecycle.OnUnscheduled; diff --git a/nifi-api/src/main/java/org/apache/nifi/processor/ProcessContext.java b/nifi-api/src/main/java/org/apache/nifi/processor/ProcessContext.java index ea925ec5f157..4ce6367d0f62 100644 --- a/nifi-api/src/main/java/org/apache/nifi/processor/ProcessContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/processor/ProcessContext.java @@ -18,7 +18,6 @@ import java.util.Map; import java.util.Set; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; import org.apache.nifi.components.state.StateManager; diff --git a/nifi-api/src/main/java/org/apache/nifi/processor/ProcessSession.java b/nifi-api/src/main/java/org/apache/nifi/processor/ProcessSession.java index 58f579f1741d..2e2d4ee7c3ad 100644 --- a/nifi-api/src/main/java/org/apache/nifi/processor/ProcessSession.java +++ b/nifi-api/src/main/java/org/apache/nifi/processor/ProcessSession.java @@ -24,7 +24,6 @@ import java.util.Map; import java.util.Set; import java.util.regex.Pattern; - import org.apache.nifi.controller.queue.QueueSize; import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.processor.exception.FlowFileAccessException; diff --git a/nifi-api/src/main/java/org/apache/nifi/processor/Processor.java b/nifi-api/src/main/java/org/apache/nifi/processor/Processor.java index 98efc68ec979..34e47423aee1 100644 --- a/nifi-api/src/main/java/org/apache/nifi/processor/Processor.java +++ b/nifi-api/src/main/java/org/apache/nifi/processor/Processor.java @@ -17,7 +17,6 @@ package org.apache.nifi.processor; import java.util.Set; - import org.apache.nifi.components.ConfigurableComponent; import org.apache.nifi.processor.exception.ProcessException; diff --git a/nifi-api/src/main/java/org/apache/nifi/processor/exception/TerminatedTaskException.java b/nifi-api/src/main/java/org/apache/nifi/processor/exception/TerminatedTaskException.java index 602ad1d224ab..a55ed629304c 100644 --- a/nifi-api/src/main/java/org/apache/nifi/processor/exception/TerminatedTaskException.java +++ b/nifi-api/src/main/java/org/apache/nifi/processor/exception/TerminatedTaskException.java @@ -19,7 +19,6 @@ import java.io.InputStream; import java.io.OutputStream; - import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.ProcessSessionFactory; diff --git a/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceEventBuilder.java b/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceEventBuilder.java index 38e39a2a49e2..be4fd5e37246 100644 --- a/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceEventBuilder.java +++ b/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceEventBuilder.java @@ -18,7 +18,6 @@ import java.util.List; import java.util.Map; - import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.processor.Processor; import org.apache.nifi.processor.Relationship; diff --git a/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceReporter.java b/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceReporter.java index a8f12a16431b..442f1309c140 100644 --- a/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceReporter.java +++ b/nifi-api/src/main/java/org/apache/nifi/provenance/ProvenanceReporter.java @@ -16,12 +16,11 @@ */ package org.apache.nifi.provenance; +import java.util.Collection; import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.Relationship; -import java.util.Collection; - /** * ProvenanceReporter generates and records Provenance-related events. A * ProvenanceReporter is always tied to a {@link ProcessSession}. Any events diff --git a/nifi-api/src/main/java/org/apache/nifi/reporting/AbstractReportingTask.java b/nifi-api/src/main/java/org/apache/nifi/reporting/AbstractReportingTask.java index 339231ae3211..a2fd1195b359 100644 --- a/nifi-api/src/main/java/org/apache/nifi/reporting/AbstractReportingTask.java +++ b/nifi-api/src/main/java/org/apache/nifi/reporting/AbstractReportingTask.java @@ -17,7 +17,6 @@ package org.apache.nifi.reporting; import java.util.concurrent.TimeUnit; - import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.components.AbstractConfigurableComponent; import org.apache.nifi.controller.ConfigurationContext; diff --git a/nifi-api/src/main/java/org/apache/nifi/reporting/EventAccess.java b/nifi-api/src/main/java/org/apache/nifi/reporting/EventAccess.java index c219032a0ac7..e4b556e4be7e 100644 --- a/nifi-api/src/main/java/org/apache/nifi/reporting/EventAccess.java +++ b/nifi-api/src/main/java/org/apache/nifi/reporting/EventAccess.java @@ -16,14 +16,13 @@ */ package org.apache.nifi.reporting; +import java.io.IOException; +import java.util.List; import org.apache.nifi.action.Action; import org.apache.nifi.controller.status.ProcessGroupStatus; import org.apache.nifi.provenance.ProvenanceEventRecord; import org.apache.nifi.provenance.ProvenanceEventRepository; -import java.io.IOException; -import java.util.List; - public interface EventAccess { /** diff --git a/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingContext.java b/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingContext.java index 253089d89fcd..85cf84464469 100644 --- a/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingContext.java @@ -16,13 +16,12 @@ */ package org.apache.nifi.reporting; +import java.util.Map; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.context.PropertyContext; import org.apache.nifi.controller.ControllerServiceLookup; -import java.util.Map; - /** * This interface provides a bridge between the NiFi Framework and a * {@link ReportingTask}. This context allows a ReportingTask to access diff --git a/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingInitializationContext.java b/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingInitializationContext.java index 0bf49d3976ba..978b42105195 100644 --- a/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingInitializationContext.java +++ b/nifi-api/src/main/java/org/apache/nifi/reporting/ReportingInitializationContext.java @@ -17,7 +17,6 @@ package org.apache.nifi.reporting; import java.util.concurrent.TimeUnit; - import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; import org.apache.nifi.kerberos.KerberosContext; diff --git a/nifi-api/src/test/java/org/apache/nifi/processor/TestDataUnit.java b/nifi-api/src/test/java/org/apache/nifi/processor/TestDataUnit.java index 3e6a2353c401..a06afdf53b5f 100644 --- a/nifi-api/src/test/java/org/apache/nifi/processor/TestDataUnit.java +++ b/nifi-api/src/test/java/org/apache/nifi/processor/TestDataUnit.java @@ -16,10 +16,10 @@ */ package org.apache.nifi.processor; -import org.junit.Test; - import static org.junit.Assert.assertEquals; +import org.junit.Test; + /** * */ diff --git a/nifi-api/src/test/java/org/apache/nifi/registry/TestVariableRegistry.java b/nifi-api/src/test/java/org/apache/nifi/registry/TestVariableRegistry.java index e326fab1b18f..6c66323fbf45 100644 --- a/nifi-api/src/test/java/org/apache/nifi/registry/TestVariableRegistry.java +++ b/nifi-api/src/test/java/org/apache/nifi/registry/TestVariableRegistry.java @@ -16,10 +16,11 @@ */ package org.apache.nifi.registry; -import org.junit.Test; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; +import org.junit.Test; + public class TestVariableRegistry { @Test diff --git a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/notification/http/HttpNotificationService.java b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/notification/http/HttpNotificationService.java index fdb4c2d1fff0..5eb9ced2ab35 100644 --- a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/notification/http/HttpNotificationService.java +++ b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/notification/http/HttpNotificationService.java @@ -39,6 +39,7 @@ import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; public class HttpNotificationService extends AbstractNotificationService { @@ -215,7 +216,7 @@ private static TlsConfiguration createTlsConfigurationFromContext(NotificationIn String truststorePath = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE).getValue(); String truststorePassword = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE_PASSWORD).getValue(); String truststoreType = context.getProperty(HttpNotificationService.PROP_TRUSTSTORE_TYPE).getValue(); - return new TlsConfiguration(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType); + return new StandardTlsConfiguration(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType); } @Override diff --git a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java index ac280cf319d5..5fbbd7c89cec 100644 --- a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java +++ b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java @@ -31,8 +31,9 @@ import javax.xml.parsers.ParserConfigurationException; import okhttp3.mockwebserver.MockWebServer; import org.apache.nifi.bootstrap.NotificationServiceManager; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.junit.After; @@ -135,9 +136,9 @@ public void startServer() throws IOException, TlsException { mockWebServer = new MockWebServer(); - TlsConfiguration tlsConfiguration = new TlsConfiguration("./src/test/resources/keystore.jks", "passwordpassword", null, "JKS", - "./src/test/resources/truststore.jks", "passwordpassword", "JKS", CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.REQUIRED); + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration("./src/test/resources/keystore.jks", "passwordpassword", null, "JKS", + "./src/test/resources/truststore.jks", "passwordpassword", "JKS", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); mockWebServer.useHttps(sslContext.getSocketFactory(), false); String configFileOutput = CONFIGURATION_FILE_TEXT.replace("${test.server}", String.valueOf(mockWebServer.url("/"))); diff --git a/nifi-commons/nifi-security-utils-api/pom.xml b/nifi-commons/nifi-security-utils-api/pom.xml new file mode 100644 index 000000000000..02dbe5206a9e --- /dev/null +++ b/nifi-commons/nifi-security-utils-api/pom.xml @@ -0,0 +1,32 @@ + + + 4.0.0 + + org.apache.nifi + nifi-commons + 1.13.0-SNAPSHOT + + nifi-security-utils-api + + This nifi-security-utils-api module holds reusable code necessary for security + across the project. This module is included in a number of api modules and must + have no external dependencies. + + + + diff --git a/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/ClientAuth.java b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/ClientAuth.java new file mode 100644 index 000000000000..df6d7357ab0e --- /dev/null +++ b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/ClientAuth.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.util; + +import java.util.Arrays; +import java.util.stream.Collectors; + +/** + * This enum is used to indicate the three possible options for a server requesting a client certificate during TLS handshake negotiation. + */ +public enum ClientAuth { + WANT("Want", "Requests the client certificate on handshake and validates if present but does not require it"), + REQUIRED("Required", "Requests the client certificate on handshake and rejects the connection if it is not present and valid"), + NONE("None", "Does not request the client certificate on handshake"); + + private final String type; + private final String description; + + ClientAuth(String type, String description) { + this.type = type; + this.description = description; + } + + public String getType() { + return this.type; + } + + public String getDescription() { + return this.description; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("[SslContextFactory]"); + sb.append("type=").append(type); + sb.append("description=").append(description); + return sb.toString(); + } + + /** + * Returns {@code true} if the provided type is a valid {@link ClientAuth} type. + * + * @param type the raw type string + * @return true if the type is valid + */ + public static boolean isValidClientAuthType(String type) { + if (type == null || type.replaceAll("\\s", "").isEmpty()) { + return false; + } + return (Arrays.stream(values()).map(ca -> ca.getType().toLowerCase()).collect(Collectors.toList()).contains(type.toLowerCase())); + } +} diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeystoreType.java b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/KeystoreType.java similarity index 95% rename from nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeystoreType.java rename to nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/KeystoreType.java index ea47463897a1..b5347e376288 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeystoreType.java +++ b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/KeystoreType.java @@ -18,7 +18,6 @@ import java.util.Arrays; import java.util.stream.Collectors; -import org.apache.nifi.util.StringUtils; /** * Keystore types. @@ -49,7 +48,7 @@ public String toString() { } public static boolean isValidKeystoreType(String type) { - if (StringUtils.isBlank(type)) { + if (type == null || type.replaceAll("\\s", "").isEmpty()) { return false; } return (Arrays.stream(values()).map(kt -> kt.getType().toLowerCase()).collect(Collectors.toList()).contains(type.toLowerCase())); diff --git a/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java new file mode 100644 index 000000000000..b696fa1db9f6 --- /dev/null +++ b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java @@ -0,0 +1,219 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.util; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * This interface serves as an immutable domain object (acting as an internal DTO) for + * the various keystore and truststore configuration settings necessary for building + * {@link javax.net.ssl.SSLContext}s. + */ +public interface TlsConfiguration { + String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.2"; + String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3"; + String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION}; + String[] JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION, JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION}; + + + /** + * Returns {@code true} if the provided TlsConfiguration is {@code null} or empty + * (i.e. neither any of the keystore nor truststore properties are populated). + * + * @param tlsConfiguration the container object to check + * @return true if this container is empty or null + */ + static boolean isEmpty(TlsConfiguration tlsConfiguration) { + return tlsConfiguration == null || !(tlsConfiguration.isAnyKeystorePopulated() || tlsConfiguration.isAnyTruststorePopulated()); + } + + // Getters & setters + + String getKeystorePath(); + + String getKeystorePassword(); + + /** + * Returns {@code "********"} if the keystore password is populated, {@code "null"} if not. + * + * @return a loggable String representation of the keystore password + */ + String getKeystorePasswordForLogging(); + + String getKeyPassword(); + + /** + * Returns {@code "********"} if the key password is populated, {@code "null"} if not. + * + * @return a loggable String representation of the key password + */ + String getKeyPasswordForLogging(); + + /** + * Returns the "working" key password -- if the key password is populated, it is returned; otherwise the {@link #getKeystorePassword()} is returned. + * + * @return the key or keystore password actually populated + */ + String getFunctionalKeyPassword(); + + /** + * Returns {@code "********"} if the functional key password is populated, {@code "null"} if not. + * + * @return a loggable String representation of the functional key password + */ + String getFunctionalKeyPasswordForLogging(); + + KeystoreType getKeystoreType(); + + String getTruststorePath(); + + String getTruststorePassword(); + + /** + * Returns {@code "********"} if the truststore password is populated, {@code "null"} if not. + * + * @return a loggable String representation of the truststore password + */ + String getTruststorePasswordForLogging(); + + KeystoreType getTruststoreType(); + + String getProtocol(); + + // Boolean validators for keystore & truststore + + /** + * Returns {@code true} if the necessary properties are populated to instantiate a keystore. This does not validate the values (see {@link #isKeystoreValid()}). + * + * @return true if the path, password, and type are present + */ + boolean isKeystorePopulated(); + + /** + * Returns {@code true} if any of the keystore properties is populated, indicating that the caller expects a valid keystore to be generated. + * + * @return true if any keystore properties are present + */ + boolean isAnyKeystorePopulated(); + + /** + * Returns {@code true} if the necessary properties are populated and the keystore can be successfully instantiated (i.e. the path is valid and the password(s) are correct). + * + * @return true if the keystore properties are valid + */ + boolean isKeystoreValid(); + + /** + * Returns {@code true} if the necessary properties are populated to instantiate a truststore. This does not validate the values (see {@link #isTruststoreValid()}). + * + * @return true if the path, password, and type are present + */ + boolean isTruststorePopulated(); + + /** + * Returns {@code true} if any of the truststore properties is populated, indicating that the caller expects a valid truststore to be generated. + * + * @return true if any truststore properties are present + */ + boolean isAnyTruststorePopulated(); + + /** + * Returns {@code true} if the necessary properties are populated and the truststore can be successfully instantiated (i.e. the path is valid and the password is correct). + * + * @return true if the truststore properties are valid + */ + boolean isTruststoreValid(); + + /** + * Returns a {@code String[]} containing the keystore properties for logging. The order is + * {@link #getKeystorePath()}, {@link #getKeystorePasswordForLogging()}, + * {@link #getFunctionalKeyPasswordForLogging()}, {@link #getKeystoreType()} (using the type or "null"). + * + * @return a loggable String[] + */ + String[] getKeystorePropertiesForLogging(); + + /** + * Returns a {@code String[]} containing the truststore properties for logging. The order is + * {@link #getTruststorePath()}, {@link #getTruststorePasswordForLogging()}, + * {@link #getTruststoreType()} (using the type or "null"). + * + * @return a loggable String[] + */ + String[] getTruststorePropertiesForLogging(); + + /** + * Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}). + * + * @return the Java major version + */ + static int getJavaVersion() { + String version = System.getProperty("java.version"); + return parseJavaVersion(version); + } + + /** + * Returns the major version parsed from the provided Java version string (e.g. {@code "1.8.0.231"} -> {@code 8}). + * + * @param version the Java version string + * @return the major version as an int + */ + static int parseJavaVersion(String version) { + String majorVersion; + if (version.startsWith("1.")) { + majorVersion = version.substring(2, 3); + } else { + Pattern majorVersion9PlusPattern = Pattern.compile("(\\d+).*"); + Matcher m = majorVersion9PlusPattern.matcher(version); + if (m.find()) { + majorVersion = m.group(1); + } else { + throw new IllegalArgumentException("Could not detect major version of " + version); + } + } + return Integer.parseInt(majorVersion); + } + + /** + * Returns a {@code String[]} of supported TLS protocol versions based on the current Java platform version. + * + * @return the supported TLS protocol version(s) + */ + static String[] getCurrentSupportedTlsProtocolVersions() { + int javaMajorVersion = getJavaVersion(); + if (javaMajorVersion < 11) { + return JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS; + } else { + return JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS; + } + } + + /** + * Returns the highest supported TLS protocol version based on the current Java platform version. + * + * @return the TLS protocol (e.g. {@code "TLSv1.2"}) + */ + static String getHighestCurrentSupportedTlsProtocolVersion() { + int javaMajorVersion = getJavaVersion(); + if (javaMajorVersion < 11) { + return JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION; + } else { + return JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION; + } + } +} diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/TlsException.java b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsException.java similarity index 100% rename from nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/TlsException.java rename to nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsException.java diff --git a/nifi-commons/nifi-security-utils-api/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy b/nifi-commons/nifi-security-utils-api/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy new file mode 100644 index 000000000000..88e95241f95d --- /dev/null +++ b/nifi-commons/nifi-security-utils-api/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy @@ -0,0 +1,102 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.security.util + + +import org.junit.After +import org.junit.Before +import org.junit.BeforeClass +import org.junit.Test +import org.junit.runner.RunWith +import org.junit.runners.JUnit4 +import org.slf4j.Logger +import org.slf4j.LoggerFactory + +@RunWith(JUnit4.class) +class TlsConfigurationTest extends GroovyTestCase { + private static final Logger logger = LoggerFactory.getLogger(TlsConfigurationTest.class) + + @BeforeClass + static void setUpOnce() { + logger.metaClass.methodMissing = { String name, args -> + logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}") + } + } + + @Before + void setUp() { + super.setUp() + + } + + @After + void tearDown() { + + } + + @Test + void testShouldParseJavaVersion() { + // Arrange + def possibleVersions = ["1.5.0", "1.6.0", "1.7.0.123", "1.8.0.231", "9.0.1", "10.1.2", "11.2.3", "12.3.456"] + + // Act + def majorVersions = possibleVersions.collect { String version -> + logger.debug("Attempting to determine major version of ${version}") + TlsConfiguration.parseJavaVersion(version) + } + logger.info("Major versions: ${majorVersions}") + + // Assert + assert majorVersions == (5..12) + } + + @Test + void testShouldGetCurrentSupportedTlsProtocolVersions() { + // Arrange + int javaMajorVersion = TlsConfiguration.getJavaVersion() + logger.debug("Running on Java version: ${javaMajorVersion}") + + // Act + def tlsVersions = TlsConfiguration.getCurrentSupportedTlsProtocolVersions() + logger.info("Supported protocol versions for ${javaMajorVersion}: ${tlsVersions}") + + // Assert + if (javaMajorVersion < 11) { + assert tlsVersions == ["TLSv1.2"] as String[] + } else { + assert tlsVersions == ["TLSv1.3", "TLSv1.2"] as String[] + } + } + + @Test + void testShouldGetMaxCurrentSupportedTlsProtocolVersion() { + // Arrange + int javaMajorVersion = TlsConfiguration.getJavaVersion() + logger.debug("Running on Java version: ${javaMajorVersion}") + + // Act + def tlsVersion = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion() + logger.info("Highest supported protocol version for ${javaMajorVersion}: ${tlsVersion}") + + // Assert + if (javaMajorVersion < 11) { + assert tlsVersion == "TLSv1.2" + } else { + assert tlsVersion == "TLSv1.3" + } + } +} diff --git a/nifi-commons/nifi-security-utils/pom.xml b/nifi-commons/nifi-security-utils/pom.xml index aa3167a4b875..9716b56488b6 100644 --- a/nifi-commons/nifi-security-utils/pom.xml +++ b/nifi-commons/nifi-security-utils/pom.xml @@ -37,6 +37,11 @@ nifi-utils 1.13.0-SNAPSHOT + + org.apache.nifi + nifi-security-utils-api + 1.13.0-SNAPSHOT + ch.qos.logback logback-classic @@ -84,6 +89,11 @@ spock-core test + + org.apache.commons + commons-configuration2 + 2.7 + diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java index a93c51866a65..d3383ec030f1 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java @@ -38,8 +38,6 @@ import java.util.List; import java.util.Map; import java.util.concurrent.TimeUnit; -import java.util.regex.Matcher; -import java.util.regex.Pattern; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -50,8 +48,8 @@ import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Set; -import org.bouncycastle.asn1.DLSequence; import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.DLSequence; import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.AttributeTypeAndValue; @@ -201,7 +199,7 @@ public static String extractPeerDNFromSSLSocket(Socket socket) throws Certificat boolean clientMode = sslSocket.getUseClientMode(); logger.debug("SSL Socket in {} mode", clientMode ? "client" : "server"); - SslContextFactory.ClientAuth clientAuth = getClientAuthStatus(sslSocket); + ClientAuth clientAuth = getClientAuthStatus(sslSocket); logger.debug("SSL Socket client auth status: {}", clientAuth); if (clientMode) { @@ -234,10 +232,10 @@ private static String extractPeerDNFromClientSSLSocket(SSLSocket sslSocket) thro * This method should throw an exception if none are provided for need, return null if none are provided for want, and return null (without checking) for none. */ - SslContextFactory.ClientAuth clientAuth = getClientAuthStatus(sslSocket); + ClientAuth clientAuth = getClientAuthStatus(sslSocket); logger.debug("SSL Socket client auth status: {}", clientAuth); - if (clientAuth != SslContextFactory.ClientAuth.NONE) { + if (clientAuth != ClientAuth.NONE) { try { final Certificate[] certChains = sslSocket.getSession().getPeerCertificates(); if (certChains != null && certChains.length > 0) { @@ -250,9 +248,9 @@ private static String extractPeerDNFromClientSSLSocket(SSLSocket sslSocket) thro logger.error("The incoming request did not contain client certificates and thus the DN cannot" + " be extracted. Check that the other endpoint is providing a complete client certificate chain"); } - if (clientAuth == SslContextFactory.ClientAuth.WANT) { + if (clientAuth == ClientAuth.WANT) { logger.warn("Suppressing missing client certificate exception because client auth is set to 'want'"); - return dn; + return null; } throw new CertificateException(e); } @@ -289,8 +287,8 @@ private static String extractPeerDNFromServerSSLSocket(Socket socket) throws Cer return dn; } - private static SslContextFactory.ClientAuth getClientAuthStatus(SSLSocket sslSocket) { - return sslSocket.getNeedClientAuth() ? SslContextFactory.ClientAuth.REQUIRED : sslSocket.getWantClientAuth() ? SslContextFactory.ClientAuth.WANT : SslContextFactory.ClientAuth.NONE; + private static ClientAuth getClientAuthStatus(SSLSocket sslSocket) { + return sslSocket.getNeedClientAuth() ? ClientAuth.REQUIRED : sslSocket.getWantClientAuth() ? ClientAuth.WANT : ClientAuth.NONE; } /** @@ -627,66 +625,6 @@ public static boolean isTlsError(Throwable e) { } } - /** - * Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}). - * - * @return the Java major version - */ - public static int getJavaVersion() { - String version = System.getProperty("java.version"); - return parseJavaVersion(version); - } - - /** - * Returns the major version parsed from the provided Java version string (e.g. {@code "1.8.0.231"} -> {@code 8}). - * - * @param version the Java version string - * @return the major version as an int - */ - public static int parseJavaVersion(String version) { - String majorVersion; - if (version.startsWith("1.")) { - majorVersion = version.substring(2, 3); - } else { - Pattern majorVersion9PlusPattern = Pattern.compile("(\\d+).*"); - Matcher m = majorVersion9PlusPattern.matcher(version); - if (m.find()) { - majorVersion = m.group(1); - } else { - throw new IllegalArgumentException("Could not detect major version of " + version); - } - } - return Integer.parseInt(majorVersion); - } - - /** - * Returns a {@code String[]} of supported TLS protocol versions based on the current Java platform version. - * - * @return the supported TLS protocol version(s) - */ - public static String[] getCurrentSupportedTlsProtocolVersions() { - int javaMajorVersion = getJavaVersion(); - if (javaMajorVersion < 11) { - return JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS; - } else { - return JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS; - } - } - - /** - * Returns the highest supported TLS protocol version based on the current Java platform version. - * - * @return the TLS protocol (e.g. {@code "TLSv1.2"}) - */ - public static String getHighestCurrentSupportedTlsProtocolVersion() { - int javaMajorVersion = getJavaVersion(); - if (javaMajorVersion < 11) { - return JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION; - } else { - return JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION; - } - } - private CertificateUtils() { } } diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java index 39dcafa4fbce..6a5e54668200 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java @@ -21,7 +21,6 @@ import java.security.SecureRandom; import java.util.Arrays; import java.util.Optional; -import java.util.stream.Collectors; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; @@ -29,9 +28,6 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; -import org.apache.commons.lang3.builder.ToStringBuilder; -import org.apache.commons.lang3.builder.ToStringStyle; -import org.apache.nifi.util.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -44,46 +40,7 @@ public final class SslContextFactory { private static final Logger logger = LoggerFactory.getLogger(SslContextFactory.class); - /** - * This enum is used to indicate the three possible options for a server requesting a client certificate during TLS handshake negotiation. - */ - public enum ClientAuth { - WANT("Want", "Requests the client certificate on handshake and validates if present but does not require it"), - REQUIRED("Required", "Requests the client certificate on handshake and rejects the connection if it is not present and valid"), - NONE("None", "Does not request the client certificate on handshake"); - - private final String type; - private final String description; - - ClientAuth(String type, String description) { - this.type = type; - this.description = description; - } - - public String getType() { - return this.type; - } - - public String getDescription() { - return this.description; - } - - @Override - public String toString() { - final ToStringBuilder builder = new ToStringBuilder(this); - ToStringBuilder.setDefaultStyle(ToStringStyle.SHORT_PREFIX_STYLE); - builder.append("Type", type); - builder.append("Description", description); - return builder.toString(); - } - - public static boolean isValidClientAuthType(String type) { - if (StringUtils.isBlank(type)) { - return false; - } - return (Arrays.stream(values()).map(ca -> ca.getType().toLowerCase()).collect(Collectors.toList()).contains(type.toLowerCase())); - } - } + // TODO: Move to nifi-security-utils-core /** * Returns a configured {@link SSLContext} from the provided TLS configuration. Hardcodes the diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java similarity index 79% rename from nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java rename to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java index 021986b2165c..dfaab7bae654 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java @@ -19,19 +19,21 @@ import java.io.File; import java.net.MalformedURLException; import java.util.Objects; -import org.apache.commons.lang3.builder.ToStringBuilder; import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.util.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + /** - * This class serves as an immutable domain object (acting as an internal DTO) for the various keystore and truststore configuration settings necessary for building {@link javax.net.ssl.SSLContext}s. + * This class serves as a concrete immutable domain object (acting as an internal DTO) + * for the various keystore and truststore configuration settings necessary for + * building {@link javax.net.ssl.SSLContext}s. */ -public class TlsConfiguration { - private static final Logger logger = LoggerFactory.getLogger(TlsConfiguration.class); +public class StandardTlsConfiguration implements TlsConfiguration { + private static final Logger logger = LoggerFactory.getLogger(StandardTlsConfiguration.class); - private static final String TLS_PROTOCOL_VERSION = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion(); + private static final String TLS_PROTOCOL_VERSION = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion(); private static final String MASKED_PASSWORD_LOG = "********"; private static final String NULL_LOG = "null"; @@ -49,7 +51,7 @@ public class TlsConfiguration { /** * Default constructor present for testing and completeness. */ - public TlsConfiguration() { + public StandardTlsConfiguration() { this(null, null, null, "", null, null, "", null); } @@ -63,7 +65,7 @@ public TlsConfiguration() { * @param truststorePassword the truststore password * @param truststoreType the truststore type */ - public TlsConfiguration(String keystorePath, String keystorePassword, KeystoreType keystoreType, String truststorePath, String truststorePassword, KeystoreType truststoreType) { + public StandardTlsConfiguration(String keystorePath, String keystorePassword, KeystoreType keystoreType, String truststorePath, String truststorePassword, KeystoreType truststoreType) { this(keystorePath, keystorePassword, keystorePassword, keystoreType, truststorePath, truststorePassword, truststoreType, TLS_PROTOCOL_VERSION); } @@ -78,7 +80,7 @@ public TlsConfiguration(String keystorePath, String keystorePassword, KeystoreTy * @param truststorePassword the truststore password * @param truststoreType the truststore type */ - public TlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, + public StandardTlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, KeystoreType keystoreType, String truststorePath, String truststorePassword, KeystoreType truststoreType) { this(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType, TLS_PROTOCOL_VERSION); } @@ -94,7 +96,7 @@ public TlsConfiguration(String keystorePath, String keystorePassword, String key * @param truststorePassword the truststore password * @param truststoreType the truststore type as a String */ - public TlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, + public StandardTlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, String keystoreType, String truststorePath, String truststorePassword, String truststoreType) { this(keystorePath, keystorePassword, keyPassword, (KeystoreType.isValidKeystoreType(keystoreType) ? KeystoreType.valueOf(keystoreType.toUpperCase()) : null), @@ -115,7 +117,7 @@ public TlsConfiguration(String keystorePath, String keystorePassword, String key * @param truststoreType the truststore type as a String * @param protocol the TLS protocol version string */ - public TlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, + public StandardTlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, String keystoreType, String truststorePath, String truststorePassword, String truststoreType, String protocol) { this(keystorePath, keystorePassword, keyPassword, (KeystoreType.isValidKeystoreType(keystoreType) ? KeystoreType.valueOf(keystoreType.toUpperCase()) : null), @@ -136,7 +138,7 @@ public TlsConfiguration(String keystorePath, String keystorePassword, String key * @param truststoreType the truststore type * @param protocol the TLS protocol version string */ - public TlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, + public StandardTlsConfiguration(String keystorePath, String keystorePassword, String keyPassword, KeystoreType keystoreType, String truststorePath, String truststorePassword, KeystoreType truststoreType, String protocol) { this.keystorePath = keystorePath; this.keystorePassword = keystorePassword; @@ -153,26 +155,26 @@ public TlsConfiguration(String keystorePath, String keystorePassword, String key * * @param other the configuration to copy */ - public TlsConfiguration(TlsConfiguration other) { - this.keystorePath = other.keystorePath; - this.keystorePassword = other.keystorePassword; - this.keyPassword = other.keyPassword; - this.keystoreType = other.keystoreType; - this.truststorePath = other.truststorePath; - this.truststorePassword = other.truststorePassword; - this.truststoreType = other.truststoreType; - this.protocol = other.protocol; + public StandardTlsConfiguration(TlsConfiguration other) { + this.keystorePath = other.getKeystorePath(); + this.keystorePassword = other.getKeystorePassword(); + this.keyPassword = other.getKeyPassword(); + this.keystoreType = other.getKeystoreType(); + this.truststorePath = other.getTruststorePath(); + this.truststorePassword = other.getTruststorePassword(); + this.truststoreType = other.getTruststoreType(); + this.protocol = other.getProtocol(); } // Static factory method from NiFiProperties /** - * Returns a {@link TlsConfiguration} instantiated from the relevant {@link NiFiProperties} properties. + * Returns a {@link org.apache.nifi.security.util.TlsConfiguration} instantiated from the relevant {@link NiFiProperties} properties. * * @param niFiProperties the NiFi properties * @return a populated TlsConfiguration container object */ - public static TlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) { + public static StandardTlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) { if (niFiProperties == null) { throw new IllegalArgumentException("The NiFi properties cannot be null"); } @@ -186,7 +188,7 @@ public static TlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) String truststoreType = niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE); String protocol = TLS_PROTOCOL_VERSION; - final TlsConfiguration tlsConfiguration = new TlsConfiguration(keystorePath, keystorePassword, keyPassword, + final StandardTlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystorePath, keystorePassword, keyPassword, keystoreType, truststorePath, truststorePassword, truststoreType, protocol); if (logger.isDebugEnabled()) { @@ -199,12 +201,14 @@ public static TlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) } /** - * Returns a {@link TlsConfiguration} instantiated from the relevant {@link NiFiProperties} properties for the truststore only. No keystore properties are read or used. + * Returns a {@link org.apache.nifi.security.util.TlsConfiguration} instantiated + * from the relevant {@link NiFiProperties} properties for the truststore + * only. No keystore properties are read or used. * * @param niFiProperties the NiFi properties * @return a populated TlsConfiguration container object */ - public static TlsConfiguration fromNiFiPropertiesTruststoreOnly(NiFiProperties niFiProperties) { + public static StandardTlsConfiguration fromNiFiPropertiesTruststoreOnly(NiFiProperties niFiProperties) { if (niFiProperties == null) { throw new IllegalArgumentException("The NiFi properties cannot be null"); } @@ -214,7 +218,7 @@ public static TlsConfiguration fromNiFiPropertiesTruststoreOnly(NiFiProperties n String truststoreType = niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE); String protocol = TLS_PROTOCOL_VERSION; - final TlsConfiguration tlsConfiguration = new TlsConfiguration(null, null, null, null, truststorePath, truststorePassword, + final StandardTlsConfiguration tlsConfiguration = new StandardTlsConfiguration(null, null, null, null, truststorePath, truststorePassword, truststoreType, protocol); if (logger.isDebugEnabled()) { logger.debug("Instantiating TlsConfiguration from NiFi properties: null x4, {}, {}, {}, {}", @@ -224,23 +228,25 @@ public static TlsConfiguration fromNiFiPropertiesTruststoreOnly(NiFiProperties n return tlsConfiguration; } - /** - * Returns {@code true} if the provided TlsConfiguration is {@code null} or empty - * (i.e. neither any of the keystore nor truststore properties are populated). - * - * @param tlsConfiguration the container object to check - * @return true if this container is empty or null - */ - public static boolean isEmpty(TlsConfiguration tlsConfiguration) { - return tlsConfiguration == null || !(tlsConfiguration.isAnyKeystorePopulated() || tlsConfiguration.isAnyTruststorePopulated()); - } + // /** + // * Returns {@code true} if the provided TlsConfiguration is {@code null} or empty + // * (i.e. neither any of the keystore nor truststore properties are populated). + // * + // * @param tlsConfiguration the container object to check + // * @return true if this container is empty or null + // */ + // public static boolean isEmpty(org.apache.nifi.security.util.TlsConfiguration tlsConfiguration) { + // return tlsConfiguration == null || !(tlsConfiguration.isAnyKeystorePopulated() || tlsConfiguration.isAnyTruststorePopulated()); + // } // Getters & setters + @Override public String getKeystorePath() { return keystorePath; } + @Override public String getKeystorePassword() { return keystorePassword; } @@ -250,10 +256,12 @@ public String getKeystorePassword() { * * @return a loggable String representation of the keystore password */ + @Override public String getKeystorePasswordForLogging() { return maskPasswordForLog(keystorePassword); } + @Override public String getKeyPassword() { return keyPassword; } @@ -263,6 +271,7 @@ public String getKeyPassword() { * * @return a loggable String representation of the key password */ + @Override public String getKeyPasswordForLogging() { return maskPasswordForLog(keyPassword); } @@ -272,6 +281,7 @@ public String getKeyPasswordForLogging() { * * @return the key or keystore password actually populated */ + @Override public String getFunctionalKeyPassword() { return StringUtils.isNotBlank(keyPassword) ? keyPassword : keystorePassword; } @@ -281,18 +291,22 @@ public String getFunctionalKeyPassword() { * * @return a loggable String representation of the functional key password */ + @Override public String getFunctionalKeyPasswordForLogging() { return maskPasswordForLog(getFunctionalKeyPassword()); } + @Override public KeystoreType getKeystoreType() { return keystoreType; } + @Override public String getTruststorePath() { return truststorePath; } + @Override public String getTruststorePassword() { return truststorePassword; } @@ -302,14 +316,17 @@ public String getTruststorePassword() { * * @return a loggable String representation of the truststore password */ + @Override public String getTruststorePasswordForLogging() { return maskPasswordForLog(truststorePassword); } + @Override public KeystoreType getTruststoreType() { return truststoreType; } + @Override public String getProtocol() { return protocol; } @@ -321,6 +338,7 @@ public String getProtocol() { * * @return true if the path, password, and type are present */ + @Override public boolean isKeystorePopulated() { return isStorePopulated(keystorePath, keystorePassword, keystoreType, "keystore"); } @@ -330,6 +348,7 @@ public boolean isKeystorePopulated() { * * @return true if any keystore properties are present */ + @Override public boolean isAnyKeystorePopulated() { return isAnyPopulated(keystorePath, keystorePassword, keystoreType); } @@ -339,6 +358,7 @@ public boolean isAnyKeystorePopulated() { * * @return true if the keystore properties are valid */ + @Override public boolean isKeystoreValid() { boolean simpleCheck = isStoreValid(keystorePath, keystorePassword, keystoreType, "keystore"); if (simpleCheck) { @@ -363,6 +383,7 @@ public boolean isKeystoreValid() { * * @return true if the path, password, and type are present */ + @Override public boolean isTruststorePopulated() { return isStorePopulated(truststorePath, truststorePassword, truststoreType, "truststore"); } @@ -372,6 +393,7 @@ public boolean isTruststorePopulated() { * * @return true if any truststore properties are present */ + @Override public boolean isAnyTruststorePopulated() { return isAnyPopulated(truststorePath, truststorePassword, truststoreType); } @@ -381,6 +403,7 @@ public boolean isAnyTruststorePopulated() { * * @return true if the truststore properties are valid */ + @Override public boolean isTruststoreValid() { return isStoreValid(truststorePath, truststorePassword, truststoreType, "truststore"); } @@ -392,6 +415,7 @@ public boolean isTruststoreValid() { * * @return a loggable String[] */ + @Override public String[] getKeystorePropertiesForLogging() { return new String[]{getKeystorePath(), getKeystorePasswordForLogging(), getFunctionalKeyPasswordForLogging(), getKeystoreType() != null ? getKeystoreType().getType() : NULL_LOG}; } @@ -403,37 +427,38 @@ public String[] getKeystorePropertiesForLogging() { * * @return a loggable String[] */ + @Override public String[] getTruststorePropertiesForLogging() { return new String[]{getTruststorePath(), getTruststorePasswordForLogging(), getKeystoreType() != null ? getTruststoreType().getType() : NULL_LOG}; } @Override public String toString() { - return new ToStringBuilder(this) - .append("keystorePath", keystorePath) - .append("keystorePassword", getKeystorePasswordForLogging()) - .append("keyPassword", getKeyPasswordForLogging()) - .append("keystoreType", keystoreType) - .append("truststorePath", truststorePath) - .append("truststorePassword", getTruststorePasswordForLogging()) - .append("truststoreType", truststoreType) - .append("protocol", protocol) - .toString(); + StringBuilder sb = new StringBuilder("[TlsConfiguration]"); + sb.append("keystorePath=").append(keystorePath); + sb.append(",keystorePassword=").append(getKeystorePasswordForLogging()); + sb.append(",keyPassword=").append(getKeyPasswordForLogging()); + sb.append(",keystoreType=").append(keystoreType); + sb.append(",truststorePath=").append(truststorePath); + sb.append(",truststorePassword=").append(getTruststorePasswordForLogging()); + sb.append(",truststoreType=").append(truststoreType); + sb.append(",protocol=").append(protocol); + return sb.toString(); } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; - TlsConfiguration that = (TlsConfiguration) o; - return Objects.equals(keystorePath, that.keystorePath) - && Objects.equals(keystorePassword, that.keystorePassword) - && Objects.equals(keyPassword, that.keyPassword) - && keystoreType == that.keystoreType - && Objects.equals(truststorePath, that.truststorePath) - && Objects.equals(truststorePassword, that.truststorePassword) - && truststoreType == that.truststoreType - && Objects.equals(protocol, that.protocol); + org.apache.nifi.security.util.TlsConfiguration that = (org.apache.nifi.security.util.TlsConfiguration) o; + return Objects.equals(keystorePath, that.getKeystorePath()) + && Objects.equals(keystorePassword, that.getKeystorePassword()) + && Objects.equals(keyPassword, that.getKeyPassword()) + && keystoreType == that.getKeystoreType() + && Objects.equals(truststorePath, that.getTruststorePath()) + && Objects.equals(truststorePassword, that.getTruststorePassword()) + && truststoreType == that.getTruststoreType() + && Objects.equals(protocol, that.getProtocol()); } @Override diff --git a/nifi-commons/nifi-security-xml-config/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java similarity index 99% rename from nifi-commons/nifi-security-xml-config/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java rename to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java index 0e0cd7edb342..44f29dcb4095 100644 --- a/nifi-commons/nifi-security-xml-config/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/xml/SafeXMLConfiguration.java @@ -16,6 +16,12 @@ */ package org.apache.nifi.security.xml; +import java.io.IOException; +import java.io.InputStream; +import java.io.Reader; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.configuration2.HierarchicalConfiguration; import org.apache.commons.configuration2.XMLConfiguration; import org.apache.commons.configuration2.ex.ConfigurationException; @@ -25,13 +31,6 @@ import org.xml.sax.SAXParseException; import org.xml.sax.helpers.DefaultHandler; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import java.io.IOException; -import java.io.InputStream; -import java.io.Reader; - /** * For security reasons, this class overrides the Apache commons 'XMLConfiguration' class to disable processing of XML external entity (XXE) declarations. * This class should be used in all cases where an XML configuration file will be used by NiFi. It is currently used by the XMLFileLookupService. diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy index a1044ca4132c..f9fa704eaa4b 100644 --- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy +++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy @@ -203,17 +203,17 @@ class CertificateUtilsTest extends GroovyTestCase { SSLSocket noneSocket = [getNeedClientAuth: { -> false }, getWantClientAuth: { -> false }] as SSLSocket // Act - SslContextFactory.ClientAuth needClientAuthStatus = CertificateUtils.getClientAuthStatus(needSocket) + ClientAuth needClientAuthStatus = CertificateUtils.getClientAuthStatus(needSocket) logger.info("Client auth (needSocket): ${needClientAuthStatus}") - SslContextFactory.ClientAuth wantClientAuthStatus = CertificateUtils.getClientAuthStatus(wantSocket) + ClientAuth wantClientAuthStatus = CertificateUtils.getClientAuthStatus(wantSocket) logger.info("Client auth (wantSocket): ${wantClientAuthStatus}") - SslContextFactory.ClientAuth noneClientAuthStatus = CertificateUtils.getClientAuthStatus(noneSocket) + ClientAuth noneClientAuthStatus = CertificateUtils.getClientAuthStatus(noneSocket) logger.info("Client auth (noneSocket): ${noneClientAuthStatus}") // Assert - assert needClientAuthStatus == SslContextFactory.ClientAuth.REQUIRED - assert wantClientAuthStatus == SslContextFactory.ClientAuth.WANT - assert noneClientAuthStatus == SslContextFactory.ClientAuth.NONE + assert needClientAuthStatus == ClientAuth.REQUIRED + assert wantClientAuthStatus == ClientAuth.WANT + assert noneClientAuthStatus == ClientAuth.NONE } @Test @@ -613,58 +613,6 @@ class CertificateUtilsTest extends GroovyTestCase { assert !unrelatedResults.any() } - @Test - void testShouldParseJavaVersion() { - // Arrange - def possibleVersions = ["1.5.0", "1.6.0", "1.7.0.123", "1.8.0.231", "9.0.1", "10.1.2", "11.2.3", "12.3.456"] - - // Act - def majorVersions = possibleVersions.collect { String version -> - logger.debug("Attempting to determine major version of ${version}") - CertificateUtils.parseJavaVersion(version) - } - logger.info("Major versions: ${majorVersions}") - - // Assert - assert majorVersions == (5..12) - } - - @Test - void testShouldGetCurrentSupportedTlsProtocolVersions() { - // Arrange - int javaMajorVersion = CertificateUtils.getJavaVersion() - logger.debug("Running on Java version: ${javaMajorVersion}") - - // Act - def tlsVersions = CertificateUtils.getCurrentSupportedTlsProtocolVersions() - logger.info("Supported protocol versions for ${javaMajorVersion}: ${tlsVersions}") - - // Assert - if (javaMajorVersion < 11) { - assert tlsVersions == ["TLSv1.2"] as String[] - } else { - assert tlsVersions == ["TLSv1.3", "TLSv1.2"] as String[] - } - } - - @Test - void testShouldGetMaxCurrentSupportedTlsProtocolVersion() { - // Arrange - int javaMajorVersion = CertificateUtils.getJavaVersion() - logger.debug("Running on Java version: ${javaMajorVersion}") - - // Act - def tlsVersion = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion() - logger.info("Highest supported protocol version for ${javaMajorVersion}: ${tlsVersion}") - - // Assert - if (javaMajorVersion < 11) { - assert tlsVersion == "TLSv1.2" - } else { - assert tlsVersion == "TLSv1.3" - } - } - @Test void testGetExtensionsFromCSR() { // Arrange diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy index cff92ff9df59..68266ae33d6e 100644 --- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy +++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy @@ -44,7 +44,7 @@ class SslContextFactoryTest extends GroovyTestCase { private static final String TRUSTSTORE_PASSWORD = "truststorepassword" private static final KeystoreType TRUSTSTORE_TYPE = KeystoreType.JKS - private static final String PROTOCOL = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion() + private static final String PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion() // The default TLS protocol versions for different Java versions private static final List JAVA_8_TLS_PROTOCOL_VERSIONS = ["TLSv1.2", "TLSv1.1", "TLSv1"] @@ -75,7 +75,7 @@ class SslContextFactoryTest extends GroovyTestCase { @Before void setUp() { - tlsConfiguration = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + tlsConfiguration = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) } @After @@ -84,7 +84,7 @@ class SslContextFactoryTest extends GroovyTestCase { } static List getCurrentTlsProtocolVersions() { - if (CertificateUtils.getJavaVersion() < 11) { + if (TlsConfiguration.getJavaVersion() < 11) { return JAVA_8_TLS_PROTOCOL_VERSIONS } else { return JAVA_11_TLS_PROTOCOL_VERSIONS @@ -98,7 +98,7 @@ class SslContextFactoryTest extends GroovyTestCase { * @param expectedProtocols the specific protocol versions to be present (ordered as desired) */ void assertProtocolVersions(def enabledProtocols, def expectedProtocols) { - if (CertificateUtils.getJavaVersion() > 8) { + if (TlsConfiguration.getJavaVersion() > 8) { assert enabledProtocols == expectedProtocols as String[] } else { assert enabledProtocols as Set == expectedProtocols as Set @@ -111,7 +111,7 @@ class SslContextFactoryTest extends GroovyTestCase { logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert @@ -137,11 +137,11 @@ class SslContextFactoryTest extends GroovyTestCase { (NiFiProperties.SECURITY_KEY_PASSWD): "", ] NiFiProperties propertiesWithoutKeyPassword = NiFiProperties.createBasicNiFiProperties("", missingKeyPasswordProps) - TlsConfiguration configWithoutKeyPassword = TlsConfiguration.fromNiFiProperties(propertiesWithoutKeyPassword) + TlsConfiguration configWithoutKeyPassword = StandardTlsConfiguration.fromNiFiProperties(propertiesWithoutKeyPassword) logger.info("Creating SSL Context from TLS Configuration: ${configWithoutKeyPassword}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert @@ -170,7 +170,7 @@ class SslContextFactoryTest extends GroovyTestCase { (NiFiProperties.SECURITY_KEYSTORE): "", ] NiFiProperties propsNoKeystorePath = NiFiProperties.createBasicNiFiProperties("", missingKeystorePathProps) - TlsConfiguration configNoKeystorePath = TlsConfiguration.fromNiFiProperties(propsNoKeystorePath) + TlsConfiguration configNoKeystorePath = StandardTlsConfiguration.fromNiFiProperties(propsNoKeystorePath) logger.info("Creating SSL Context from TLS Configuration: ${configNoKeystorePath}") Map missingTruststorePathProps = DEFAULT_PROPS + [ @@ -182,17 +182,17 @@ class SslContextFactoryTest extends GroovyTestCase { (NiFiProperties.SECURITY_KEYSTORE_TYPE) : "", ] NiFiProperties propsNoTruststorePath = NiFiProperties.createBasicNiFiProperties("", missingTruststorePathProps) - TlsConfiguration configNoTruststorePath = TlsConfiguration.fromNiFiProperties(propsNoTruststorePath) + TlsConfiguration configNoTruststorePath = StandardTlsConfiguration.fromNiFiProperties(propsNoTruststorePath) logger.info("Creating SSL Context from TLS Configuration: ${configNoTruststorePath}") // Act def noKeystorePathMsg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath, ClientAuth.NONE) logger.info("Created SSL Context missing keystore path: ${KeyStoreUtils.sslContextToString(sslContext)}") } def noTruststorePathMsg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath, ClientAuth.NONE) logger.info("Created SSL Context missing truststore path: ${KeyStoreUtils.sslContextToString(sslContext)}") } @@ -214,11 +214,11 @@ class SslContextFactoryTest extends GroovyTestCase { (NiFiProperties.SECURITY_TRUSTSTORE_PASSWD): "", ] NiFiProperties propertiesNoTruststorePassword = NiFiProperties.createBasicNiFiProperties("", truststoreNoPasswordProps) - TlsConfiguration configNoTruststorePassword = TlsConfiguration.fromNiFiProperties(propertiesNoTruststorePassword) + TlsConfiguration configNoTruststorePassword = StandardTlsConfiguration.fromNiFiProperties(propertiesNoTruststorePassword) logger.info("Creating SSL Context from TLS Configuration: ${configNoTruststorePassword}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") // Assert @@ -246,12 +246,12 @@ class SslContextFactoryTest extends GroovyTestCase { // Change the keystore to one with the same keystore and key password, but don't provide the key password Map keystoreOnlyProps = DEFAULT_PROPS.findAll { k, v -> k.contains("keystore") } NiFiProperties keystoreNiFiProperties = NiFiProperties.createBasicNiFiProperties("", keystoreOnlyProps) - TlsConfiguration keystoreOnlyConfig = TlsConfiguration.fromNiFiProperties(keystoreNiFiProperties) + TlsConfiguration keystoreOnlyConfig = StandardTlsConfiguration.fromNiFiProperties(keystoreNiFiProperties) logger.info("Creating SSL Context from TLS Configuration: ${keystoreOnlyConfig}") // Act def msg = shouldFail(TlsException) { - SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") } logger.expected(msg) @@ -267,11 +267,11 @@ class SslContextFactoryTest extends GroovyTestCase { @Test void testCreateSslContextFromTlsConfigurationShouldHandleEmptyConfiguration() { // Arrange - TlsConfiguration emptyConfig = new TlsConfiguration() + TlsConfiguration emptyConfig = new StandardTlsConfiguration() logger.info("Creating SSL Context from TLS Configuration: ${emptyConfig}") // Act - SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig, ClientAuth.NONE) // Assert assert !sslContext diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy similarity index 74% rename from nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy rename to nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy index 29ba36dfb3d0..ec117136a8fa 100644 --- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/TlsConfigurationTest.groovy +++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy @@ -31,8 +31,8 @@ import org.slf4j.LoggerFactory import java.security.Security @RunWith(JUnit4.class) -class TlsConfigurationTest extends GroovyTestCase { - private static final Logger logger = LoggerFactory.getLogger(TlsConfigurationTest.class) +class StandardTlsConfigurationTest extends GroovyTestCase { + private static final Logger logger = LoggerFactory.getLogger(StandardTlsConfigurationTest.class) private static final String KEYSTORE_PATH = "src/test/resources/TlsConfigurationKeystore.jks" private static final String KEYSTORE_PASSWORD = "keystorepassword" @@ -68,7 +68,7 @@ class TlsConfigurationTest extends GroovyTestCase { @Before void setUp() throws Exception { - tlsConfiguration = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + tlsConfiguration = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) } @After @@ -80,7 +80,7 @@ class TlsConfigurationTest extends GroovyTestCase { // Arrange // Act - TlsConfiguration fromProperties = TlsConfiguration.fromNiFiProperties(mockNiFiProperties) + TlsConfiguration fromProperties = StandardTlsConfiguration.fromNiFiProperties(mockNiFiProperties) logger.info("Created TlsConfiguration: ${fromProperties}") // Assert @@ -96,7 +96,7 @@ class TlsConfigurationTest extends GroovyTestCase { ]) // Act - TlsConfiguration fromProperties = TlsConfiguration.fromNiFiProperties(noKeystoreTypesProps) + TlsConfiguration fromProperties = StandardTlsConfiguration.fromNiFiProperties(noKeystoreTypesProps) logger.info("Created TlsConfiguration: ${fromProperties}") // Assert @@ -110,10 +110,10 @@ class TlsConfigurationTest extends GroovyTestCase { TlsConfiguration withKeyPassword = tlsConfiguration // A container where the keystore password is explicitly set as the key password as well - TlsConfiguration withoutKeyPassword = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + TlsConfiguration withoutKeyPassword = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) // A container where null is explicitly set as the key password - TlsConfiguration withNullPassword = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, null, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + TlsConfiguration withNullPassword = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, null, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) // Act String actualKeyPassword = withKeyPassword.getKeyPassword() @@ -139,8 +139,8 @@ class TlsConfigurationTest extends GroovyTestCase { @Test void testShouldCheckKeystorePopulation() { // Arrange - TlsConfiguration empty = new TlsConfiguration() - TlsConfiguration noKeystorePassword = new TlsConfiguration(KEYSTORE_PATH, "", KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + TlsConfiguration empty = new StandardTlsConfiguration() + TlsConfiguration noKeystorePassword = new StandardTlsConfiguration(KEYSTORE_PATH, "", KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) // Act boolean normalIsPopulated = tlsConfiguration.isKeystorePopulated() @@ -156,8 +156,8 @@ class TlsConfigurationTest extends GroovyTestCase { @Test void testShouldCheckTruststorePopulation() { // Arrange - TlsConfiguration empty = new TlsConfiguration() - TlsConfiguration noTruststorePassword = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, "", TRUSTSTORE_TYPE) + TlsConfiguration empty = new StandardTlsConfiguration() + TlsConfiguration noTruststorePassword = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, "", TRUSTSTORE_TYPE) // Act boolean normalIsPopulated = tlsConfiguration.isTruststorePopulated() @@ -173,9 +173,9 @@ class TlsConfigurationTest extends GroovyTestCase { @Test void testShouldValidateKeystoreConfiguration() { // Arrange - TlsConfiguration empty = new TlsConfiguration() - TlsConfiguration wrongPassword = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) - TlsConfiguration invalid = new TlsConfiguration(KEYSTORE_PATH.reverse(), KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH.reverse(), TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) + TlsConfiguration empty = new StandardTlsConfiguration() + TlsConfiguration wrongPassword = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) + TlsConfiguration invalid = new StandardTlsConfiguration(KEYSTORE_PATH.reverse(), KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH.reverse(), TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) // Act boolean normalIsValid = tlsConfiguration.isKeystoreValid() @@ -193,9 +193,9 @@ class TlsConfigurationTest extends GroovyTestCase { @Test void testShouldValidateTruststoreConfiguration() { // Arrange - TlsConfiguration empty = new TlsConfiguration() - TlsConfiguration wrongPassword = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) - TlsConfiguration invalid = new TlsConfiguration(KEYSTORE_PATH.reverse(), KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH.reverse(), TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) + TlsConfiguration empty = new StandardTlsConfiguration() + TlsConfiguration wrongPassword = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) + TlsConfiguration invalid = new StandardTlsConfiguration(KEYSTORE_PATH.reverse(), KEYSTORE_PASSWORD.reverse(), KEY_PASSWORD.reverse(), KEYSTORE_TYPE, TRUSTSTORE_PATH.reverse(), TRUSTSTORE_PASSWORD.reverse(), TRUSTSTORE_TYPE) // Act boolean normalIsValid = tlsConfiguration.isTruststoreValid() diff --git a/nifi-commons/nifi-security-xml-config/pom.xml b/nifi-commons/nifi-security-xml-config/pom.xml deleted file mode 100644 index 55f95dc02f1c..000000000000 --- a/nifi-commons/nifi-security-xml-config/pom.xml +++ /dev/null @@ -1,78 +0,0 @@ - - - 4.0.0 - - org.apache.nifi - nifi-commons - 1.13.0-SNAPSHOT - - nifi-security-xml-config - - - org.apache.commons - commons-configuration2 - 2.7 - - - - - - - org.apache.rat - apache-rat-plugin - - - src/test/resources/xxe_template.xml - - - - - - - - - - jigsaw - - (1.8,) - - - - javax.xml.bind - jaxb-api - test - - - com.sun.xml.bind - jaxb-core - test - - - com.sun.xml.bind - jaxb-impl - test - - - com.sun.activation - javax.activation - - - - - - - diff --git a/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java b/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java index 7af6cceec62f..421d6a6ce31e 100644 --- a/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java +++ b/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java @@ -44,8 +44,8 @@ import org.apache.nifi.remote.protocol.DataPacket; import org.apache.nifi.remote.protocol.SiteToSiteTransportProtocol; import org.apache.nifi.remote.protocol.http.HttpProxy; -import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.TlsConfiguration; /** *

@@ -919,7 +919,7 @@ public SSLContext getSslContext() { if (keyManagerFactory != null && trustManagerFactory != null) { try { // initialize the ssl context - final SSLContext sslContext = SSLContext.getInstance(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + final SSLContext sslContext = SSLContext.getInstance(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom()); sslContext.getDefaultSSLParameters().setNeedClientAuth(true); diff --git a/nifi-commons/nifi-site-to-site-client/src/test/java/org/apache/nifi/remote/client/http/TestHttpClient.java b/nifi-commons/nifi-site-to-site-client/src/test/java/org/apache/nifi/remote/client/http/TestHttpClient.java index ab71c5653217..418bb8130dc2 100644 --- a/nifi-commons/nifi-site-to-site-client/src/test/java/org/apache/nifi/remote/client/http/TestHttpClient.java +++ b/nifi-commons/nifi-site-to-site-client/src/test/java/org/apache/nifi/remote/client/http/TestHttpClient.java @@ -65,7 +65,7 @@ import org.apache.nifi.remote.protocol.http.HttpHeaders; import org.apache.nifi.remote.protocol.http.HttpProxy; import org.apache.nifi.remote.util.StandardDataPacket; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.stream.io.StreamUtils; import org.apache.nifi.web.api.dto.ControllerDTO; import org.apache.nifi.web.api.dto.PortDTO; @@ -100,7 +100,7 @@ public class TestHttpClient { - private static Logger logger = LoggerFactory.getLogger(TestHttpClient.class); + private static final Logger logger = LoggerFactory.getLogger(TestHttpClient.class); private static Server server; private static ServerConnector httpConnector; @@ -457,7 +457,7 @@ public static void setup() throws Exception { sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks"); sslContextFactory.setKeyStorePassword("passwordpassword"); sslContextFactory.setKeyStoreType("JKS"); - sslContextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + sslContextFactory.setProtocol(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); sslContextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1"); httpConnector = new ServerConnector(server); diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java index d33a48ae6bd6..2727d43fbb20 100644 --- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java +++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java @@ -17,6 +17,7 @@ package org.apache.nifi.io.socket; import javax.net.ssl.SSLContext; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; @@ -34,7 +35,7 @@ public ServerSocketConfiguration() { public SSLContext createSSLContext() throws TlsException { // ClientAuth was hardcoded to REQUIRED in removed SSLContextFactory and overridden in SocketUtils when the socket is created - return SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.REQUIRED); + return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); } public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) { diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java index 88709f509cd5..8c76f4514aa6 100644 --- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java +++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java @@ -17,6 +17,7 @@ package org.apache.nifi.io.socket; import javax.net.ssl.SSLContext; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; @@ -35,7 +36,7 @@ public final class SocketConfiguration { public SSLContext createSSLContext() throws TlsException { // This is only used for client sockets, so the client auth setting is ignored - return SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.NONE); + return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE); } public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) { diff --git a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketUtils.java b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketUtils.java index 453cbb2a1360..43556a7ac308 100644 --- a/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketUtils.java +++ b/nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketUtils.java @@ -24,7 +24,7 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; import org.apache.nifi.logging.NiFiLog; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,7 +66,7 @@ public static Socket createSocket(final InetSocketAddress address, final SocketC Socket tempSocket = sslContext.getSocketFactory().createSocket(address.getHostName(), address.getPort()); final SSLSocket sslSocket = (SSLSocket) tempSocket; // Enforce custom protocols on socket - sslSocket.setEnabledProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); + sslSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()); socket = sslSocket; } @@ -129,7 +129,7 @@ public static ServerSocket createServerSocket(final int port, final ServerSocket final SSLServerSocket sslServerSocket = (SSLServerSocket) serverSocket; sslServerSocket.setNeedClientAuth(config.getNeedClientAuth()); // Enforce custom protocols on socket - sslServerSocket.setEnabledProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); + sslServerSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()); } if (config.getSocketTimeout() != null) { diff --git a/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SocketUtilsTest.groovy b/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SocketUtilsTest.groovy index b0a62c8478d5..9b3510916b5e 100644 --- a/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SocketUtilsTest.groovy +++ b/nifi-commons/nifi-socket-utils/src/test/groovy/org/apache/nifi/io/socket/SocketUtilsTest.groovy @@ -16,8 +16,9 @@ */ package org.apache.nifi.io.socket -import org.apache.nifi.security.util.CertificateUtils + import org.apache.nifi.security.util.KeystoreType +import org.apache.nifi.security.util.StandardTlsConfiguration import org.apache.nifi.security.util.TlsConfiguration import org.apache.nifi.util.NiFiProperties import org.bouncycastle.jce.provider.BouncyCastleProvider @@ -46,7 +47,7 @@ class SocketUtilsTest extends GroovyTestCase { private static final String TRUSTSTORE_PASSWORD = "truststorepassword" private static final KeystoreType TRUSTSTORE_TYPE = KeystoreType.JKS - private static final String PROTOCOL = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion() + private static final String PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion() private static final Map DEFAULT_PROPS = [ (NiFiProperties.SECURITY_KEYSTORE) : KEYSTORE_PATH, @@ -61,8 +62,8 @@ class SocketUtilsTest extends GroovyTestCase { private NiFiProperties mockNiFiProperties = NiFiProperties.createBasicNiFiProperties(null, DEFAULT_PROPS) // A static TlsConfiguration referencing the test resource keystore and truststore -// private static final TlsConfiguration TLS_CONFIGURATION = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, PROTOCOL) -// private static final SSLContext sslContext = SslContextFactory.createSslContext(TLS_CONFIGURATION, SslContextFactory.ClientAuth.NONE) +// private static final TlsConfiguration TLS_CONFIGURATION = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, PROTOCOL) +// private static final SSLContext sslContext = SslContextFactory.createSslContext(TLS_CONFIGURATION, ClientAuth.NONE) @BeforeClass static void setUpOnce() throws Exception { @@ -87,7 +88,7 @@ class SocketUtilsTest extends GroovyTestCase { void testCreateSSLServerSocketShouldRestrictTlsProtocols() { // Arrange ServerSocketConfiguration mockServerSocketConfiguration = new ServerSocketConfiguration() - mockServerSocketConfiguration.setTlsConfiguration(TlsConfiguration.fromNiFiProperties(mockNiFiProperties)) + mockServerSocketConfiguration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(mockNiFiProperties)) // Act SSLServerSocket sslServerSocket = SocketUtils.createSSLServerSocket(0, mockServerSocketConfiguration) @@ -96,7 +97,7 @@ class SocketUtilsTest extends GroovyTestCase { // Assert String[] enabledProtocols = sslServerSocket.getEnabledProtocols() logger.info("Enabled protocols: ${enabledProtocols}") - assert enabledProtocols == CertificateUtils.getCurrentSupportedTlsProtocolVersions() + assert enabledProtocols == TlsConfiguration.getCurrentSupportedTlsProtocolVersions() assert !enabledProtocols.contains("TLSv1") assert !enabledProtocols.contains("TLSv1.1") } @@ -105,7 +106,7 @@ class SocketUtilsTest extends GroovyTestCase { void testCreateServerSocketShouldRestrictTlsProtocols() { // Arrange ServerSocketConfiguration mockServerSocketConfiguration = new ServerSocketConfiguration() - mockServerSocketConfiguration.setTlsConfiguration(TlsConfiguration.fromNiFiProperties(mockNiFiProperties)) + mockServerSocketConfiguration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(mockNiFiProperties)) // Act SSLServerSocket sslServerSocket = SocketUtils.createServerSocket(0, mockServerSocketConfiguration) as SSLServerSocket @@ -114,7 +115,7 @@ class SocketUtilsTest extends GroovyTestCase { // Assert String[] enabledProtocols = sslServerSocket.getEnabledProtocols() logger.info("Enabled protocols: ${enabledProtocols}") - assert enabledProtocols == CertificateUtils.getCurrentSupportedTlsProtocolVersions() + assert enabledProtocols == TlsConfiguration.getCurrentSupportedTlsProtocolVersions() assert !enabledProtocols.contains("TLSv1") assert !enabledProtocols.contains("TLSv1.1") } diff --git a/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/classloader/ClassLoaderUtils.java b/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/classloader/ClassLoaderUtils.java index fbf76bc922a9..0867bb9fa8dc 100644 --- a/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/classloader/ClassLoaderUtils.java +++ b/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/classloader/ClassLoaderUtils.java @@ -16,18 +16,14 @@ */ package org.apache.nifi.util.file.classloader; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.xml.bind.DatatypeConverter; import java.io.File; import java.io.FilenameFilter; -import java.io.UnsupportedEncodingException; import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.net.URLClassLoader; +import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; @@ -37,6 +33,9 @@ import java.util.List; import java.util.Set; import java.util.stream.Collectors; +import javax.xml.bind.DatatypeConverter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class ClassLoaderUtils { @@ -149,11 +148,11 @@ public static String generateAdditionalUrlsFingerprint(Set urls) { listOfUrls.forEach(url -> { urlBuffer.append(url).append("-").append(getLastModified(url)).append(";"); }); - byte[] bytesOfAdditionalUrls = urlBuffer.toString().getBytes("UTF-8"); + byte[] bytesOfAdditionalUrls = urlBuffer.toString().getBytes(StandardCharsets.UTF_8); byte[] bytesOfDigest = md.digest(bytesOfAdditionalUrls); return DatatypeConverter.printHexBinary(bytesOfDigest); - } catch (NoSuchAlgorithmException | UnsupportedEncodingException e) { + } catch (NoSuchAlgorithmException e) { LOGGER.error("Unable to generate fingerprint for the provided additional resources {}", new Object[]{urls, e}); return null; } diff --git a/nifi-commons/pom.xml b/nifi-commons/pom.xml index ba574b877e5c..93d4a7a66399 100644 --- a/nifi-commons/pom.xml +++ b/nifi-commons/pom.xml @@ -37,8 +37,8 @@ nifi-record-path nifi-rocksdb-utils nifi-schema-utils + nifi-security-utils-api nifi-security-utils - nifi-security-xml-config nifi-site-to-site-client nifi-socket-utils nifi-utils diff --git a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-http.svg b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-http.svg index c845aaea9e2e..60c6ad230d23 100644 --- a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-http.svg +++ b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-http.svg @@ -13,5 +13,6 @@ See the License for the specific language governing permissions and limitations under the License. --> - + diff --git a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-portnumber.svg b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-portnumber.svg index 47e32847892f..5ebc23a81261 100644 --- a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-portnumber.svg +++ b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-portnumber.svg @@ -13,5 +13,6 @@ See the License for the specific language governing permissions and limitations under the License. --> - + diff --git a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-servername.svg b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-servername.svg index 2f68e08f8538..7446504c0a90 100644 --- a/nifi-docs/src/main/asciidoc/images/s2s-rproxy-servername.svg +++ b/nifi-docs/src/main/asciidoc/images/s2s-rproxy-servername.svg @@ -13,5 +13,6 @@ See the License for the specific language governing permissions and limitations under the License. --> - + diff --git a/nifi-mock/src/main/java/org/apache/nifi/provenance/MockProvenanceRepository.java b/nifi-mock/src/main/java/org/apache/nifi/provenance/MockProvenanceRepository.java index 30e6bd17a34f..e1d8321f6bf5 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/provenance/MockProvenanceRepository.java +++ b/nifi-mock/src/main/java/org/apache/nifi/provenance/MockProvenanceRepository.java @@ -23,7 +23,6 @@ import java.util.List; import java.util.Set; import java.util.concurrent.atomic.AtomicLong; - import org.apache.nifi.authorization.Authorizer; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.events.EventReporter; diff --git a/nifi-mock/src/main/java/org/apache/nifi/state/MockStateManager.java b/nifi-mock/src/main/java/org/apache/nifi/state/MockStateManager.java index 81ad988ca904..f1243261b0f8 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/state/MockStateManager.java +++ b/nifi-mock/src/main/java/org/apache/nifi/state/MockStateManager.java @@ -21,7 +21,6 @@ import java.util.Collections; import java.util.Map; import java.util.concurrent.atomic.AtomicInteger; - import org.apache.nifi.annotation.behavior.Stateful; import org.apache.nifi.components.state.Scope; import org.apache.nifi.components.state.StateManager; @@ -120,7 +119,7 @@ public synchronized boolean replace(final StateMap oldValue, final Map emptyMap(), scope); + setState(Collections.emptyMap(), scope); } private void verifyCanSet(final Scope scope) throws IOException { diff --git a/nifi-mock/src/main/java/org/apache/nifi/state/MockStateMap.java b/nifi-mock/src/main/java/org/apache/nifi/state/MockStateMap.java index cfce4670a0c6..3956ff5a5b8b 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/state/MockStateMap.java +++ b/nifi-mock/src/main/java/org/apache/nifi/state/MockStateMap.java @@ -20,7 +20,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.Map; - import org.apache.nifi.components.state.StateMap; public class MockStateMap implements StateMap { @@ -28,7 +27,7 @@ public class MockStateMap implements StateMap { private final long version; public MockStateMap(final Map stateValues, final long version) { - this.stateValues = stateValues == null ? Collections. emptyMap() : new HashMap<>(stateValues); + this.stateValues = stateValues == null ? Collections.emptyMap() : new HashMap<>(stateValues); this.version = version; } diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/CapturingLogger.java b/nifi-mock/src/main/java/org/apache/nifi/util/CapturingLogger.java index a289eaae66ee..5b4a58c1ae21 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/CapturingLogger.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/CapturingLogger.java @@ -3,7 +3,6 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; - import org.slf4j.Logger; import org.slf4j.Marker; import org.slf4j.helpers.MessageFormatter; @@ -33,11 +32,11 @@ public class CapturingLogger implements Logger { private final Logger logger; - private List traceMessages = new ArrayList<>(); - private List debugMessages = new ArrayList<>(); - private List infoMessages = new ArrayList<>(); - private List warnMessages = new ArrayList<>(); - private List errorMessages = new ArrayList<>(); + private final List traceMessages = new ArrayList<>(); + private final List debugMessages = new ArrayList<>(); + private final List infoMessages = new ArrayList<>(); + private final List warnMessages = new ArrayList<>(); + private final List errorMessages = new ArrayList<>(); public CapturingLogger(final Logger logger) { this.logger = logger; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/ControllerServiceConfiguration.java b/nifi-mock/src/main/java/org/apache/nifi/util/ControllerServiceConfiguration.java index bd623cafc640..e23e99aaa918 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/ControllerServiceConfiguration.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/ControllerServiceConfiguration.java @@ -20,7 +20,6 @@ import java.util.HashMap; import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.ControllerService; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockBulletinRepository.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockBulletinRepository.java index a52853ac0438..89a0cf9074cc 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockBulletinRepository.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockBulletinRepository.java @@ -16,12 +16,11 @@ */ package org.apache.nifi.util; +import java.util.List; import org.apache.nifi.reporting.Bulletin; import org.apache.nifi.reporting.BulletinQuery; import org.apache.nifi.reporting.BulletinRepository; -import java.util.List; - public class MockBulletinRepository implements BulletinRepository { @Override diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockComponentLog.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockComponentLog.java index e58cf50b8542..4bb655ea6885 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockComponentLog.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockComponentLog.java @@ -17,7 +17,6 @@ package org.apache.nifi.util; import java.util.List; - import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.logging.LogLevel; import org.slf4j.Logger; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockConfigurationContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockConfigurationContext.java index 307f474fd7dd..4e68366c513d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockConfigurationContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockConfigurationContext.java @@ -20,7 +20,6 @@ import java.util.LinkedHashMap; import java.util.Map; import java.util.concurrent.TimeUnit; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; import org.apache.nifi.controller.ConfigurationContext; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceInitializationContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceInitializationContext.java index 021bdc24596a..79cb9612b034 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceInitializationContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceInitializationContext.java @@ -16,6 +16,7 @@ */ package org.apache.nifi.util; +import java.io.File; import org.apache.nifi.components.state.StateManager; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceInitializationContext; @@ -25,8 +26,6 @@ import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.state.MockStateManager; -import java.io.File; - public class MockControllerServiceInitializationContext extends MockControllerServiceLookup implements ControllerServiceInitializationContext, ControllerServiceLookup, NodeTypeProvider { private final String identifier; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceLookup.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceLookup.java index ec7b179e422f..5bec0ce0783d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceLookup.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockControllerServiceLookup.java @@ -20,7 +20,6 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; - import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceLookup; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockEventAccess.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockEventAccess.java index 38d1619e14d0..b6cd7ade8b66 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockEventAccess.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockEventAccess.java @@ -21,7 +21,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; - import org.apache.nifi.action.Action; import org.apache.nifi.controller.status.ProcessGroupStatus; import org.apache.nifi.provenance.ProvenanceEventRecord; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockFlowFileQueue.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockFlowFileQueue.java index 0c6ec2a7a9ca..2abcc4f6d0c5 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockFlowFileQueue.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockFlowFileQueue.java @@ -22,7 +22,6 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReadWriteLock; import java.util.concurrent.locks.ReentrantReadWriteLock; - import org.apache.nifi.controller.queue.QueueSize; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockKerberosContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockKerberosContext.java index 480eab8699d3..fa77ca3d639d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockKerberosContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockKerberosContext.java @@ -16,9 +16,8 @@ */ package org.apache.nifi.util; -import org.apache.nifi.kerberos.KerberosContext; - import java.io.File; +import org.apache.nifi.kerberos.KerberosContext; public class MockKerberosContext implements KerberosContext { diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessContext.java index e850bc88819f..ffc2711c3424 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessContext.java @@ -16,6 +16,18 @@ */ package org.apache.nifi.util; +import static java.util.Objects.requireNonNull; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; import org.apache.nifi.annotation.behavior.InputRequirement; import org.apache.nifi.attribute.expression.language.Query; import org.apache.nifi.attribute.expression.language.Query.Range; @@ -36,19 +48,6 @@ import org.apache.nifi.state.MockStateManager; import org.junit.Assert; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Set; - -import static java.util.Objects.requireNonNull; - public class MockProcessContext extends MockControllerServiceLookup implements ProcessContext, ControllerServiceLookup, NodeTypeProvider { private final ConfigurableComponent component; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessSession.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessSession.java index fe9faf9ff8ce..dd56b6ccd6e3 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessSession.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessSession.java @@ -16,22 +16,6 @@ */ package org.apache.nifi.util; -import org.apache.nifi.controller.queue.QueueSize; -import org.apache.nifi.flowfile.FlowFile; -import org.apache.nifi.flowfile.attributes.CoreAttributes; -import org.apache.nifi.processor.FlowFileFilter; -import org.apache.nifi.processor.ProcessSession; -import org.apache.nifi.processor.Processor; -import org.apache.nifi.processor.Relationship; -import org.apache.nifi.processor.exception.FlowFileAccessException; -import org.apache.nifi.processor.exception.FlowFileHandlingException; -import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.processor.io.InputStreamCallback; -import org.apache.nifi.processor.io.OutputStreamCallback; -import org.apache.nifi.processor.io.StreamCallback; -import org.apache.nifi.provenance.ProvenanceReporter; -import org.junit.Assert; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.Closeable; @@ -58,6 +42,21 @@ import java.util.concurrent.atomic.AtomicLong; import java.util.regex.Pattern; import java.util.stream.Collectors; +import org.apache.nifi.controller.queue.QueueSize; +import org.apache.nifi.flowfile.FlowFile; +import org.apache.nifi.flowfile.attributes.CoreAttributes; +import org.apache.nifi.processor.FlowFileFilter; +import org.apache.nifi.processor.ProcessSession; +import org.apache.nifi.processor.Processor; +import org.apache.nifi.processor.Relationship; +import org.apache.nifi.processor.exception.FlowFileAccessException; +import org.apache.nifi.processor.exception.FlowFileHandlingException; +import org.apache.nifi.processor.exception.ProcessException; +import org.apache.nifi.processor.io.InputStreamCallback; +import org.apache.nifi.processor.io.OutputStreamCallback; +import org.apache.nifi.processor.io.StreamCallback; +import org.apache.nifi.provenance.ProvenanceReporter; +import org.junit.Assert; public class MockProcessSession implements ProcessSession { @@ -1357,10 +1356,6 @@ boolean isFlowFileKnown(final FlowFile flowFile) { final String curUuid = curFlowFile.getAttribute(CoreAttributes.UUID.key()); final String providedUuid = curFlowFile.getAttribute(CoreAttributes.UUID.key()); - if (!curUuid.equals(providedUuid)) { - return false; - } - - return true; + return curUuid.equals(providedUuid); } } diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessorInitializationContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessorInitializationContext.java index d48fc3de23bf..2ac2b731970d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessorInitializationContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockProcessorInitializationContext.java @@ -19,7 +19,6 @@ import java.io.File; import java.util.Set; import java.util.UUID; - import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyContext.java index 5c4647d20bea..6f110b20923d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyContext.java @@ -16,13 +16,12 @@ */ package org.apache.nifi.util; +import java.util.LinkedHashMap; +import java.util.Map; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; import org.apache.nifi.context.PropertyContext; -import java.util.LinkedHashMap; -import java.util.Map; - public class MockPropertyContext implements PropertyContext { private final Map properties; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyValue.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyValue.java index 209559b5e637..9b7d72b18950 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyValue.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockPropertyValue.java @@ -16,8 +16,11 @@ */ package org.apache.nifi.util; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.concurrent.TimeUnit; import org.apache.nifi.annotation.behavior.InputRequirement; -import org.apache.nifi.parameter.ParameterLookup; import org.apache.nifi.attribute.expression.language.Query; import org.apache.nifi.attribute.expression.language.Query.Range; import org.apache.nifi.attribute.expression.language.StandardPropertyValue; @@ -28,15 +31,11 @@ import org.apache.nifi.expression.AttributeValueDecorator; import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.flowfile.FlowFile; +import org.apache.nifi.parameter.ParameterLookup; import org.apache.nifi.processor.DataUnit; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.registry.VariableRegistry; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.concurrent.TimeUnit; - public class MockPropertyValue implements PropertyValue { private final String rawValue; private final Boolean expectExpressions; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockProvenanceReporter.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockProvenanceReporter.java index 37a6393e8091..55e3a8145788 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockProvenanceReporter.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockProvenanceReporter.java @@ -20,7 +20,6 @@ import java.util.Collections; import java.util.LinkedHashSet; import java.util.Set; - import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.FlowFileHandlingException; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingContext.java index b9e23c381efc..5a0fd846b124 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingContext.java @@ -22,7 +22,6 @@ import java.util.LinkedHashMap; import java.util.List; import java.util.Map; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyValue; import org.apache.nifi.components.state.StateManager; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingInitializationContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingInitializationContext.java index d1b8e5c84b06..4b74acc8118d 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingInitializationContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockReportingInitializationContext.java @@ -20,7 +20,6 @@ import java.util.HashMap; import java.util.Map; import java.util.concurrent.TimeUnit; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.controller.NodeTypeProvider; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockSessionFactory.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockSessionFactory.java index 010cc97646db..9b6b78f39f13 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockSessionFactory.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockSessionFactory.java @@ -19,7 +19,6 @@ import java.util.Collections; import java.util.Set; import java.util.concurrent.CopyOnWriteArraySet; - import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.ProcessSessionFactory; import org.apache.nifi.processor.Processor; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockValidationContext.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockValidationContext.java index e913204c5756..d4a198b0a00a 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockValidationContext.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockValidationContext.java @@ -16,8 +16,13 @@ */ package org.apache.nifi.util; -import org.apache.nifi.parameter.ExpressionLanguageAgnosticParameterParser; -import org.apache.nifi.parameter.ParameterLookup; +import java.util.Collection; +import java.util.HashMap; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.stream.Collectors; import org.apache.nifi.attribute.expression.language.Query; import org.apache.nifi.attribute.expression.language.Query.Range; import org.apache.nifi.attribute.expression.language.StandardExpressionLanguageCompiler; @@ -28,19 +33,13 @@ import org.apache.nifi.controller.ControllerService; import org.apache.nifi.controller.ControllerServiceLookup; import org.apache.nifi.expression.ExpressionLanguageCompiler; +import org.apache.nifi.parameter.ExpressionLanguageAgnosticParameterParser; +import org.apache.nifi.parameter.ExpressionLanguageAwareParameterParser; +import org.apache.nifi.parameter.ParameterLookup; import org.apache.nifi.parameter.ParameterParser; import org.apache.nifi.parameter.ParameterReference; -import org.apache.nifi.parameter.ExpressionLanguageAwareParameterParser; import org.apache.nifi.registry.VariableRegistry; -import java.util.Collection; -import java.util.HashMap; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.stream.Collectors; - public class MockValidationContext extends MockControllerServiceLookup implements ValidationContext, ControllerServiceLookup { private final MockProcessContext context; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/MockVariableRegistry.java b/nifi-mock/src/main/java/org/apache/nifi/util/MockVariableRegistry.java index c782b4f40a3c..027baa1501cc 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/MockVariableRegistry.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/MockVariableRegistry.java @@ -20,7 +20,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.Map; - import org.apache.nifi.registry.VariableDescriptor; import org.apache.nifi.registry.VariableRegistry; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/SharedSessionState.java b/nifi-mock/src/main/java/org/apache/nifi/util/SharedSessionState.java index 994735b0ff5b..f9ff0c90704c 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/SharedSessionState.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/SharedSessionState.java @@ -25,7 +25,6 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.atomic.AtomicLong; - import org.apache.nifi.processor.Processor; import org.apache.nifi.provenance.ProvenanceEventRecord; import org.apache.nifi.provenance.ProvenanceReporter; diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/StandardProcessorTestRunner.java b/nifi-mock/src/main/java/org/apache/nifi/util/StandardProcessorTestRunner.java index 297791679daf..c2db427d0406 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/StandardProcessorTestRunner.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/StandardProcessorTestRunner.java @@ -16,6 +16,33 @@ */ package org.apache.nifi.util; +import static java.util.Objects.requireNonNull; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.lang.reflect.InvocationTargetException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Comparator; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; +import java.util.concurrent.Callable; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicInteger; +import java.util.concurrent.atomic.AtomicLong; +import java.util.function.Predicate; import org.apache.nifi.annotation.behavior.TriggerSerially; import org.apache.nifi.annotation.lifecycle.OnAdded; import org.apache.nifi.annotation.lifecycle.OnConfigurationRestored; @@ -46,34 +73,6 @@ import org.apache.nifi.state.MockStateManager; import org.junit.Assert; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.lang.reflect.InvocationTargetException; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Path; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Comparator; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Set; -import java.util.concurrent.Callable; -import java.util.concurrent.Executors; -import java.util.concurrent.Future; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicInteger; -import java.util.concurrent.atomic.AtomicLong; -import java.util.function.Predicate; - -import static java.util.Objects.requireNonNull; - public class StandardProcessorTestRunner implements TestRunner { private final Processor processor; @@ -419,7 +418,7 @@ public MockFlowFile enqueue(final byte[] data) { @Override public MockFlowFile enqueue(final String data) { - return enqueue(data.getBytes(StandardCharsets.UTF_8), Collections. emptyMap()); + return enqueue(data.getBytes(StandardCharsets.UTF_8), Collections.emptyMap()); } @Override diff --git a/nifi-mock/src/main/java/org/apache/nifi/util/TestRunner.java b/nifi-mock/src/main/java/org/apache/nifi/util/TestRunner.java index ce5a837fd887..23e5ebb11155 100644 --- a/nifi-mock/src/main/java/org/apache/nifi/util/TestRunner.java +++ b/nifi-mock/src/main/java/org/apache/nifi/util/TestRunner.java @@ -16,6 +16,12 @@ */ package org.apache.nifi.util; +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Path; +import java.util.List; +import java.util.Map; +import java.util.function.Predicate; import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.ValidationResult; @@ -31,13 +37,6 @@ import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.state.MockStateManager; -import java.io.IOException; -import java.io.InputStream; -import java.nio.file.Path; -import java.util.List; -import java.util.Map; -import java.util.function.Predicate; - public interface TestRunner { /** @@ -907,7 +906,7 @@ public interface TestRunner { * Returns the {@link MockComponentLog} that is used by the Processor under test. * @return the logger */ - public MockComponentLog getLogger(); + MockComponentLog getLogger(); /** * Returns the {@link MockComponentLog} that is used by the specified controller service. @@ -915,7 +914,7 @@ public interface TestRunner { * @param identifier a controller service identifier * @return the logger */ - public MockComponentLog getControllerServiceLogger(final String identifier); + MockComponentLog getControllerServiceLogger(final String identifier); /** * @return the State Manager that is used to stored and retrieve state diff --git a/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessContext.java b/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessContext.java index f1137ed9d103..f83db9f9464e 100644 --- a/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessContext.java +++ b/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessContext.java @@ -25,7 +25,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; - import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.processor.AbstractProcessor; import org.apache.nifi.processor.ProcessContext; diff --git a/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessSession.java b/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessSession.java index 6ba99c7f553a..bf4c6e642e48 100644 --- a/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessSession.java +++ b/nifi-mock/src/test/java/org/apache/nifi/util/TestMockProcessSession.java @@ -25,7 +25,6 @@ import java.util.Collections; import java.util.Set; import java.util.concurrent.atomic.AtomicLong; - import org.apache.nifi.flowfile.FlowFile; import org.apache.nifi.processor.AbstractProcessor; import org.apache.nifi.processor.ProcessContext; diff --git a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java index c947b7a286e4..642aa1b4007e 100644 --- a/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java +++ b/nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java @@ -19,6 +19,7 @@ import com.rabbitmq.client.Connection; import com.rabbitmq.client.ConnectionFactory; import com.rabbitmq.client.DefaultSaslConfig; +import com.rabbitmq.client.impl.DefaultExceptionHandler; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -28,8 +29,6 @@ import java.util.concurrent.Executors; import java.util.concurrent.LinkedBlockingQueue; import javax.net.ssl.SSLContext; - -import com.rabbitmq.client.impl.DefaultExceptionHandler; import org.apache.commons.lang3.concurrent.BasicThreadFactory; import org.apache.nifi.annotation.lifecycle.OnScheduled; import org.apache.nifi.annotation.lifecycle.OnStopped; @@ -42,7 +41,7 @@ import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; @@ -121,7 +120,7 @@ abstract class AbstractAMQPProcessor extends AbstractProce .displayName("Client Auth") .description("The property has no effect and therefore deprecated.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) + .allowableValues(ClientAuth.values()) .defaultValue("NONE") .build(); @@ -299,7 +298,7 @@ protected Connection createConnection(ProcessContext context, ExecutorService ex final Boolean useCertAuthentication = context.getProperty(USE_CERT_AUTHENTICATION).asBoolean(); if (sslService != null) { - final SSLContext sslContext = sslService.createSSLContext(SslContextFactory.ClientAuth.NONE); + final SSLContext sslContext = sslService.createSSLContext(ClientAuth.NONE); cf.useSslProtocol(sslContext); if (useCertAuthentication) { diff --git a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java index d56d9ee394a8..f6bed479c925 100644 --- a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java +++ b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java @@ -58,7 +58,7 @@ import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.proxy.ProxyConfiguration; import org.apache.nifi.proxy.ProxySpec; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; /** @@ -227,7 +227,7 @@ protected ClientConfiguration createConfiguration(final ProcessContext context) if(this.getSupportedPropertyDescriptors().contains(SSL_CONTEXT_SERVICE)) { final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE); + final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE); // NIFI-3788: Changed hostnameVerifier from null to DHV (BrowserCompatibleHostnameVerifier is deprecated) SdkTLSSocketFactory sdkTLSSocketFactory = new SdkTLSSocketFactory(sslContext, new DefaultHostnameVerifier()); config.getApacheHttpClientConfig().setSslSocketFactory(sdkTLSSocketFactory); diff --git a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java index 5509318db006..eab3e76e1565 100644 --- a/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java +++ b/nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java @@ -57,7 +57,7 @@ import org.apache.nifi.processors.beats.handler.BeatsSocketChannelHandlerFactory; import org.apache.nifi.processors.beats.response.BeatsChannelResponse; import org.apache.nifi.processors.beats.response.BeatsResponse; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @@ -90,8 +90,8 @@ public class ListenBeats extends AbstractListenEventBatchingProcessor properties; @@ -126,7 +126,7 @@ private void setupClient(ConfigurationContext context) throws MalformedURLExcept final SSLContext sslContext; try { sslContext = (sslService != null && (sslService.isKeyStoreConfigured() || sslService.isTrustStoreConfigured())) - ? sslService.createSSLContext(SslContextFactory.ClientAuth.NONE) : null; + ? sslService.createSSLContext(ClientAuth.NONE) : null; } catch (Exception e) { getLogger().error("Error building up SSL Context from the supplied configuration.", e); throw new InitializationException(e); diff --git a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java index b443fd4c360b..4d4c27f98a15 100644 --- a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java +++ b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java @@ -49,7 +49,7 @@ import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.email.smtp.SmtpConsumer; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.springframework.util.StringUtils; @@ -133,7 +133,7 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor { .displayName("Client Auth") .description("The client authentication policy to use for the SSL Context. Only used if an SSL Context Service is provided.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.NONE.name(), SslContextFactory.ClientAuth.REQUIRED.name()) + .allowableValues(ClientAuth.NONE.name(), ClientAuth.REQUIRED.name()) .build(); protected static final PropertyDescriptor SMTP_HOSTNAME = new PropertyDescriptor.Builder() @@ -249,12 +249,12 @@ private SMTPServer prepareServer(final ProcessContext context, final ProcessSess public SSLSocket createSSLSocket(Socket socket) throws IOException { InetSocketAddress remoteAddress = (InetSocketAddress) socket.getRemoteSocketAddress(); String clientAuth = context.getProperty(CLIENT_AUTH).getValue(); - SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.valueOf(clientAuth)); + SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth)); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true)); sslSocket.setUseClientMode(false); - if (SslContextFactory.ClientAuth.REQUIRED.toString().equals(clientAuth)) { + if (ClientAuth.REQUIRED.toString().equals(clientAuth)) { this.setRequireTLS(true); sslSocket.setNeedClientAuth(true); } diff --git a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java index 2e6c78372420..7138bcf874e5 100644 --- a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java +++ b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java @@ -19,22 +19,19 @@ import static org.junit.Assert.assertTrue; import java.util.Properties; - import javax.mail.Message; import javax.mail.MessagingException; import javax.mail.Session; import javax.mail.Transport; import javax.mail.internet.InternetAddress; import javax.mail.internet.MimeMessage; - import org.apache.nifi.remote.io.socket.NetworkUtils; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.StandardRestrictedSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunners; - import org.junit.Test; public class TestListenSMTP { @@ -98,7 +95,7 @@ public void testListenSMTPwithTLS() throws Exception { // and add the SSL context to the runner runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, "ssl-context"); - runner.setProperty(ListenSMTP.CLIENT_AUTH, SslContextFactory.ClientAuth.NONE.name()); + runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name()); runner.assertValid(); runner.run(1, false); diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/dispatcher/SocketChannelDispatcher.java b/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/dispatcher/SocketChannelDispatcher.java index 9f73b280b7dd..d0be2563f9dd 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/dispatcher/SocketChannelDispatcher.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/src/main/java/org/apache/nifi/processor/util/listen/dispatcher/SocketChannelDispatcher.java @@ -16,16 +16,6 @@ */ package org.apache.nifi.processor.util.listen.dispatcher; -import org.apache.commons.io.IOUtils; -import org.apache.nifi.logging.ComponentLog; -import org.apache.nifi.processor.util.listen.event.Event; -import org.apache.nifi.processor.util.listen.event.EventFactory; -import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; -import org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel; -import org.apache.nifi.security.util.SslContextFactory; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; import java.io.IOException; import java.net.InetAddress; import java.net.InetSocketAddress; @@ -44,6 +34,15 @@ import java.util.concurrent.LinkedBlockingQueue; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import org.apache.commons.io.IOUtils; +import org.apache.nifi.logging.ComponentLog; +import org.apache.nifi.processor.util.listen.event.Event; +import org.apache.nifi.processor.util.listen.event.EventFactory; +import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; +import org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel; +import org.apache.nifi.security.util.ClientAuth; /** * Accepts Socket connections on the given port and creates a handler for each connection to @@ -58,7 +57,7 @@ public class SocketChannelDispatcher> implements private final ComponentLog logger; private final int maxConnections; private final SSLContext sslContext; - private final SslContextFactory.ClientAuth clientAuth; + private final ClientAuth clientAuth; private final Charset charset; private ExecutorService executor; @@ -75,7 +74,7 @@ public SocketChannelDispatcher(final EventFactory eventFactory, final int maxConnections, final SSLContext sslContext, final Charset charset) { - this(eventFactory, handlerFactory, bufferPool, events, logger, maxConnections, sslContext, SslContextFactory.ClientAuth.REQUIRED, charset); + this(eventFactory, handlerFactory, bufferPool, events, logger, maxConnections, sslContext, ClientAuth.REQUIRED, charset); } public SocketChannelDispatcher(final EventFactory eventFactory, @@ -85,7 +84,7 @@ public SocketChannelDispatcher(final EventFactory eventFactory, final ComponentLog logger, final int maxConnections, final SSLContext sslContext, - final SslContextFactory.ClientAuth clientAuth, + final ClientAuth clientAuth, final Charset charset) { this.eventFactory = eventFactory; this.handlerFactory = handlerFactory; diff --git a/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/src/main/java/org/apache/nifi/record/listen/SocketChannelRecordReaderDispatcher.java b/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/src/main/java/org/apache/nifi/record/listen/SocketChannelRecordReaderDispatcher.java index 2e6ecc2de64f..2c7c93a43326 100644 --- a/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/src/main/java/org/apache/nifi/record/listen/SocketChannelRecordReaderDispatcher.java +++ b/nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/src/main/java/org/apache/nifi/record/listen/SocketChannelRecordReaderDispatcher.java @@ -16,13 +16,6 @@ */ package org.apache.nifi.record.listen; -import org.apache.nifi.logging.ComponentLog; -import org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel; -import org.apache.nifi.security.util.SslContextFactory; -import org.apache.nifi.serialization.RecordReaderFactory; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLEngine; import java.io.Closeable; import java.net.SocketAddress; import java.net.StandardSocketOptions; @@ -30,6 +23,12 @@ import java.nio.channels.SocketChannel; import java.util.concurrent.BlockingQueue; import java.util.concurrent.atomic.AtomicInteger; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import org.apache.nifi.logging.ComponentLog; +import org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel; +import org.apache.nifi.security.util.ClientAuth; +import org.apache.nifi.serialization.RecordReaderFactory; /** * Accepts connections on the given ServerSocketChannel and dispatches a SocketChannelRecordReader for processing. @@ -38,7 +37,7 @@ public class SocketChannelRecordReaderDispatcher implements Runnable, Closeable private final ServerSocketChannel serverSocketChannel; private final SSLContext sslContext; - private final SslContextFactory.ClientAuth clientAuth; + private final ClientAuth clientAuth; private final int socketReadTimeout; private final int receiveBufferSize; private final int maxConnections; @@ -52,7 +51,7 @@ public class SocketChannelRecordReaderDispatcher implements Runnable, Closeable public SocketChannelRecordReaderDispatcher(final ServerSocketChannel serverSocketChannel, final SSLContext sslContext, - final SslContextFactory.ClientAuth clientAuth, + final ClientAuth clientAuth, final int socketReadTimeout, final int receiveBufferSize, final int maxConnections, diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml index 78ef21f7de7c..142cf189d7bb 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml @@ -53,6 +53,12 @@ nifi-stateless 1.13.0-SNAPSHOT + + + org.apache.nifi + nifi-security-utils-api + compile + @@ -75,6 +81,6 @@ nifi-properties provided - + diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml index 7cc5fcbd425b..b0c8cfcac80a 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml @@ -84,7 +84,7 @@ **/authorization/file/generated/*.java,**/authorization/file/tenants/generated/*.java,**/user/generated/*.java - + diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java index b7de63542220..c76cb4cc38aa 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/ServerSocketConfigurationFactoryBean.java @@ -18,7 +18,7 @@ import java.util.concurrent.TimeUnit; import org.apache.nifi.io.socket.ServerSocketConfiguration; -import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.NiFiProperties; import org.springframework.beans.factory.FactoryBean; @@ -44,7 +44,7 @@ public ServerSocketConfiguration getObject() throws Exception { // If the cluster protocol is marked as secure if (Boolean.parseBoolean(properties.getProperty(NiFiProperties.CLUSTER_PROTOCOL_IS_SECURE))) { // Parse the TLS configuration from the properties - configuration.setTlsConfiguration(TlsConfiguration.fromNiFiProperties(properties)); + configuration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(properties)); } } return configuration; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/SocketConfigurationFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/SocketConfigurationFactoryBean.java index 5458f1ed836d..1d134d746901 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/SocketConfigurationFactoryBean.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/spring/SocketConfigurationFactoryBean.java @@ -18,7 +18,7 @@ import java.util.concurrent.TimeUnit; import org.apache.nifi.io.socket.SocketConfiguration; -import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.NiFiProperties; import org.springframework.beans.factory.FactoryBean; @@ -44,7 +44,7 @@ public SocketConfiguration getObject() throws Exception { // If the cluster protocol is marked as secure if (Boolean.parseBoolean(properties.getProperty(NiFiProperties.CLUSTER_PROTOCOL_IS_SECURE))) { // Parse the TLS configuration from the properties - configuration.setTlsConfiguration(TlsConfiguration.fromNiFiProperties(properties)); + configuration.setTlsConfiguration(StandardTlsConfiguration.fromNiFiProperties(properties)); } } return configuration; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClient.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClient.java index 6f88b37e6988..e8506bdab4bb 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClient.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/coordination/http/replication/okhttp/OkHttpReplicationClient.java @@ -54,6 +54,7 @@ import org.apache.nifi.cluster.coordination.http.replication.PreparedRequest; import org.apache.nifi.remote.protocol.http.HttpHeaders; import org.apache.nifi.security.util.OkHttpClientUtils; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.stream.io.GZIPOutputStream; import org.apache.nifi.util.FormatUtils; @@ -62,8 +63,6 @@ import org.slf4j.LoggerFactory; import org.springframework.util.StreamUtils; -// Using static imports because of the name conflict: - public class OkHttpReplicationClient implements HttpReplicationClient { private static final Logger logger = LoggerFactory.getLogger(OkHttpReplicationClient.class); private static final Set gzipEncodings = Stream.of("gzip", "x-gzip").collect(Collectors.toSet()); @@ -318,7 +317,7 @@ private OkHttpClient createOkHttpClient(final NiFiProperties properties) { // Apply the TLS configuration, if present try { - TlsConfiguration tlsConfiguration = TlsConfiguration.fromNiFiProperties(properties); + TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties); tlsConfigured = OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, okHttpClientBuilder); } catch (Exception e) { // Legacy expectations around this client are that it does not throw an exception on invalid TLS configuration diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java index 3cb9f47d4cec..a8892fb9d6d3 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java @@ -16,6 +16,38 @@ */ package org.apache.nifi.controller; +import static java.util.Objects.requireNonNull; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.lang.management.GarbageCollectorMXBean; +import java.lang.management.ManagementFactory; +import java.net.InetSocketAddress; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.UUID; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.ScheduledFuture; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicInteger; +import java.util.concurrent.atomic.AtomicReference; +import java.util.concurrent.locks.ReentrantReadWriteLock; +import java.util.stream.Collectors; +import javax.management.NotificationEmitter; +import javax.net.ssl.SSLContext; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.admin.service.AuditService; import org.apache.nifi.annotation.lifecycle.OnConfigurationRestored; @@ -177,6 +209,7 @@ import org.apache.nifi.reporting.UserAwareEventAccess; import org.apache.nifi.scheduling.SchedulingStrategy; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.services.FlowService; @@ -193,39 +226,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.management.NotificationEmitter; -import javax.net.ssl.SSLContext; -import java.io.ByteArrayInputStream; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.lang.management.GarbageCollectorMXBean; -import java.lang.management.ManagementFactory; -import java.net.InetSocketAddress; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.UUID; -import java.util.concurrent.ConcurrentHashMap; -import java.util.concurrent.ConcurrentMap; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.ScheduledFuture; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.concurrent.atomic.AtomicInteger; -import java.util.concurrent.atomic.AtomicReference; -import java.util.concurrent.locks.ReentrantReadWriteLock; -import java.util.stream.Collectors; - -import static java.util.Objects.requireNonNull; - public class FlowController implements ReportingTaskProvider, Authorizable, NodeTypeProvider { // default repository implementations @@ -287,7 +287,7 @@ public class FlowController implements ReportingTaskProvider, Authorizable, Node private final ConcurrentMap allOutputPorts = new ConcurrentHashMap<>(); private final ConcurrentMap allFunnels = new ConcurrentHashMap<>(); - private volatile ZooKeeperStateServer zooKeeperStateServer; + private final ZooKeeperStateServer zooKeeperStateServer; // The Heartbeat Bean is used to provide an Atomic Reference to data that is used in heartbeats that may // change while the instance is running. We do this because we want to generate heartbeats even if we @@ -469,7 +469,7 @@ private FlowController( try { // Form the container object from the properties - TlsConfiguration tlsConfiguration = TlsConfiguration.fromNiFiProperties(nifiProperties); + TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(nifiProperties); this.sslContext = SslContextFactory.createSslContext(tlsConfiguration); } catch (TlsException e) { LOG.error("Unable to start the flow controller because the TLS configuration was invalid: {}", e.getLocalizedMessage()); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServer.java index b2f91cefde8c..97b08cd51bf1 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServer.java @@ -37,6 +37,7 @@ import org.apache.nifi.events.EventReporter; import org.apache.nifi.reporting.Severity; import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -117,7 +118,7 @@ private ServerSocket createServerSocket() throws IOException { final SSLServerSocket serverSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket(port, 50, inetAddress); serverSocket.setNeedClientAuth(true); // Enforce custom protocols on socket - serverSocket.setEnabledProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); + serverSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()); return serverSocket; } } @@ -132,6 +133,7 @@ protected static class CommunicateAction implements Runnable { private volatile boolean stopped = false; + // This should be final but it is not to allow override during testing; no production code modifies the value private static int EXCEPTION_THRESHOLD_MILLIS = 10_000; private volatile long tlsErrorLastSeen = -1; diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/manager/StandardStateManagerProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/manager/StandardStateManagerProvider.java index a43728d718aa..3214fd728b36 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/manager/StandardStateManagerProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/state/manager/StandardStateManagerProvider.java @@ -56,13 +56,13 @@ import org.apache.nifi.processor.StandardValidationContext; import org.apache.nifi.registry.VariableRegistry; import org.apache.nifi.security.util.SslContextFactory; -import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.util.NiFiProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class StandardStateManagerProvider implements StateManagerProvider{ +public class StandardStateManagerProvider implements StateManagerProvider { private static final Logger logger = LoggerFactory.getLogger(StandardStateManagerProvider.class); private static StateManagerProvider provider; @@ -219,7 +219,7 @@ private static StateProvider createStateProvider(final File configFile, final Sc final SSLContext sslContext; try { - sslContext = SslContextFactory.createSslContext(TlsConfiguration.fromNiFiProperties(properties)); + sslContext = SslContextFactory.createSslContext(StandardTlsConfiguration.fromNiFiProperties(properties)); } catch (TlsException e) { logger.error("Encountered an error configuring TLS for state manager: ", e); throw new IllegalStateException("Error configuring TLS for state manager", e); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClient.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClient.java index ed4feb9b3c33..5987b1d95081 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClient.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/registry/flow/StandardFlowRegistryClient.java @@ -23,16 +23,15 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import javax.net.ssl.SSLContext; +import org.apache.http.client.utils.URIBuilder; import org.apache.nifi.security.util.SslContextFactory; -import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.util.NiFiProperties; -import org.apache.http.client.utils.URIBuilder; - public class StandardFlowRegistryClient implements FlowRegistryClient { private NiFiProperties nifiProperties; - private ConcurrentMap registryById = new ConcurrentHashMap<>(); + private final ConcurrentMap registryById = new ConcurrentHashMap<>(); @Override public FlowRegistry getFlowRegistry(String registryId) { @@ -79,7 +78,7 @@ public FlowRegistry addFlowRegistry(final String registryId, final String regist final FlowRegistry registry; if (uriScheme.equalsIgnoreCase("http") || uriScheme.equalsIgnoreCase("https")) { try { - final SSLContext sslContext = SslContextFactory.createSslContext(TlsConfiguration.fromNiFiProperties(nifiProperties)); + final SSLContext sslContext = SslContextFactory.createSslContext(StandardTlsConfiguration.fromNiFiProperties(nifiProperties)); if (sslContext == null && uriScheme.equalsIgnoreCase("https")) { throw new IllegalStateException("Failed to create Flow Registry for URI " + registryUrl diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/groovy/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServerTest.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/groovy/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServerTest.groovy index 90fb5ec7ba77..8bf702b169c6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/groovy/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServerTest.groovy +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/groovy/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServerTest.groovy @@ -18,10 +18,11 @@ package org.apache.nifi.controller.queue.clustered.server import org.apache.nifi.events.EventReporter import org.apache.nifi.reporting.Severity -import org.apache.nifi.security.util.CertificateUtils +import org.apache.nifi.security.util.ClientAuth import org.apache.nifi.security.util.KeyStoreUtils import org.apache.nifi.security.util.KeystoreType import org.apache.nifi.security.util.SslContextFactory +import org.apache.nifi.security.util.StandardTlsConfiguration import org.apache.nifi.security.util.TlsConfiguration import org.bouncycastle.jce.provider.BouncyCastleProvider import org.junit.After @@ -68,7 +69,7 @@ class ConnectionLoadBalanceServerTest extends GroovyTestCase { logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}") } - tlsConfiguration = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + tlsConfiguration = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) sslContext = SslContextFactory.createSslContext(tlsConfiguration) } @@ -90,7 +91,7 @@ class ConnectionLoadBalanceServerTest extends GroovyTestCase { * @param expectedProtocols the specific protocol versions to be present (ordered as desired) */ void assertProtocolVersions(def enabledProtocols, def expectedProtocols) { - if (CertificateUtils.getJavaVersion() > 8) { + if (TlsConfiguration.getJavaVersion() > 8) { assert enabledProtocols == expectedProtocols as String[] } else { assert enabledProtocols as Set == expectedProtocols as Set @@ -101,7 +102,7 @@ class ConnectionLoadBalanceServerTest extends GroovyTestCase { void testRequestPeerListShouldUseTLS() { // Arrange logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}") - SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") def mockLBP = [ @@ -119,13 +120,13 @@ class ConnectionLoadBalanceServerTest extends GroovyTestCase { // Assert that the default parameters (which can't be modified) still have legacy protocols and no client auth def defaultSSLParameters = sslContext.defaultSSLParameters logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String) - assertProtocolVersions(defaultSSLParameters.protocols, CertificateUtils.getCurrentSupportedTlsProtocolVersions() + ["TLSv1.1", "TLSv1"]) + assertProtocolVersions(defaultSSLParameters.protocols, TlsConfiguration.getCurrentSupportedTlsProtocolVersions() + ["TLSv1.1", "TLSv1"]) assert !defaultSSLParameters.needClientAuth // Assert that the actual socket is set correctly due to the override in the LB server SSLServerSocket socket = lbServer.serverSocket as SSLServerSocket logger.info("Created SSL server socket: ${KeyStoreUtils.sslServerSocketToString(socket)}" as String) - assertProtocolVersions(socket.enabledProtocols, CertificateUtils.getCurrentSupportedTlsProtocolVersions()) + assertProtocolVersions(socket.enabledProtocols, TlsConfiguration.getCurrentSupportedTlsProtocolVersions()) assert socket.needClientAuth // Clean up diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/queue/clustered/LoadBalancedQueueIT.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/queue/clustered/LoadBalancedQueueIT.java index 354135fe2a72..30b7cf20330e 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/queue/clustered/LoadBalancedQueueIT.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/queue/clustered/LoadBalancedQueueIT.java @@ -92,9 +92,10 @@ import org.apache.nifi.controller.repository.claim.StandardResourceClaimManager; import org.apache.nifi.events.EventReporter; import org.apache.nifi.provenance.ProvenanceRepository; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.KeystoreType; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.junit.Before; @@ -192,9 +193,9 @@ public Object answer(final InvocationOnMock invocation) { final String keyPass = keystorePass; final String truststore = "src/test/resources/localhost-ts.jks"; final String truststorePass = "wAOR0nQJ2EXvOP0JZ2EaqA/n7W69ILS4sWAHghmIWCc"; - TlsConfiguration tlsConfiguration = new TlsConfiguration(keystore, keystorePass, keyPass, KeystoreType.JKS, - truststore, truststorePass, KeystoreType.JKS, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - sslContext = SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.REQUIRED); + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystore, keystorePass, keyPass, KeystoreType.JKS, + truststore, truststorePass, KeystoreType.JKS, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/SocketRemoteSiteListener.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/SocketRemoteSiteListener.java index 8a6d993e1d58..a2d1d2370370 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/SocketRemoteSiteListener.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/SocketRemoteSiteListener.java @@ -47,6 +47,7 @@ import org.apache.nifi.remote.protocol.RequestType; import org.apache.nifi.remote.protocol.ServerProtocol; import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.util.NiFiProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -60,7 +61,7 @@ public class SocketRemoteSiteListener implements RemoteSiteListener { private final NiFiProperties nifiProperties; private final PeerDescriptionModifier peerDescriptionModifier; - private static int EXCEPTION_THRESHOLD_MILLIS = 10_000; + private static final int EXCEPTION_THRESHOLD_MILLIS = 10_000; private volatile long tlsErrorLastSeen = -1; private final AtomicBoolean stopped = new AtomicBoolean(false); @@ -346,7 +347,7 @@ private ServerSocket createServerSocket() throws IOException { final SSLServerSocket serverSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket(socketPort); serverSocket.setNeedClientAuth(true); // Enforce custom protocols on socket - serverSocket.setEnabledProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); + serverSocket.setEnabledProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()); return serverSocket; } else { return new ServerSocket(socketPort); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/test/groovy/org/apache/nifi/remote/SocketRemoteSiteListenerTest.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/test/groovy/org/apache/nifi/remote/SocketRemoteSiteListenerTest.groovy index 3955f4967163..a5c5335fbb15 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/test/groovy/org/apache/nifi/remote/SocketRemoteSiteListenerTest.groovy +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/test/groovy/org/apache/nifi/remote/SocketRemoteSiteListenerTest.groovy @@ -16,10 +16,12 @@ */ package org.apache.nifi.remote -import org.apache.nifi.security.util.CertificateUtils + +import org.apache.nifi.security.util.ClientAuth import org.apache.nifi.security.util.KeyStoreUtils import org.apache.nifi.security.util.KeystoreType import org.apache.nifi.security.util.SslContextFactory +import org.apache.nifi.security.util.StandardTlsConfiguration import org.apache.nifi.security.util.TlsConfiguration import org.apache.nifi.util.NiFiProperties import org.bouncycastle.jce.provider.BouncyCastleProvider @@ -79,7 +81,7 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase { logger.info("[${name?.toUpperCase()}] ${(args as List).join(" ")}") } - tlsConfiguration = new TlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) + tlsConfiguration = new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE) sslContext = SslContextFactory.createSslContext(tlsConfiguration) } @@ -101,7 +103,7 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase { * @param expectedProtocols the specific protocol versions to be present (ordered as desired) */ void assertProtocolVersions(def enabledProtocols, def expectedProtocols) { - if (CertificateUtils.getJavaVersion() > 8) { + if (TlsConfiguration.getJavaVersion() > 8) { assert enabledProtocols == expectedProtocols as String[] } else { assert enabledProtocols as Set == expectedProtocols as Set @@ -112,7 +114,7 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase { void testShouldCreateSecureServer() { // Arrange logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}") - SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE) logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}") srsListener = new SocketRemoteSiteListener(PORT, sslContext, mockNiFiProperties) @@ -125,13 +127,13 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase { // serverSocket isn't instance field like CLBS so have to use private method invocation to verify SSLServerSocket sslServerSocket = srsListener.createServerSocket() as SSLServerSocket logger.info("Created SSL server socket: ${KeyStoreUtils.sslServerSocketToString(sslServerSocket)}" as String) - assertProtocolVersions(sslServerSocket.enabledProtocols, CertificateUtils.getCurrentSupportedTlsProtocolVersions()) + assertProtocolVersions(sslServerSocket.enabledProtocols, TlsConfiguration.getCurrentSupportedTlsProtocolVersions()) assert sslServerSocket.needClientAuth // Assert that the default parameters (which can't be modified) still have legacy protocols and no client auth def defaultSSLParameters = sslContext.defaultSSLParameters logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String) - assertProtocolVersions(defaultSSLParameters.getProtocols(), CertificateUtils.getCurrentSupportedTlsProtocolVersions().sort().reverse() + ["TLSv1.1", "TLSv1"]) + assertProtocolVersions(defaultSSLParameters.getProtocols(), TlsConfiguration.getCurrentSupportedTlsProtocolVersions().sort().reverse() + ["TLSv1.1", "TLSv1"]) assert !defaultSSLParameters.needClientAuth } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-stateless/src/main/java/org/apache/nifi/stateless/core/StatelessFlow.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-stateless/src/main/java/org/apache/nifi/stateless/core/StatelessFlow.java index 6ca5320fdd33..1a35deef37d4 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-stateless/src/main/java/org/apache/nifi/stateless/core/StatelessFlow.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-stateless/src/main/java/org/apache/nifi/stateless/core/StatelessFlow.java @@ -54,8 +54,9 @@ import org.apache.nifi.registry.flow.VersionedRemoteGroupPort; import org.apache.nifi.registry.flow.VersionedRemoteProcessGroup; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.stateless.bootstrap.ExtensionDiscovery; import org.apache.nifi.stateless.bootstrap.InMemoryFlowFile; @@ -372,9 +373,9 @@ public static SSLContext getSSLContext(final JsonObject config) { final String truststoreType = sslObject.get(TRUSTSTORE_TYPE).getAsString(); try { - TlsConfiguration tlsConfiguration = new TlsConfiguration(keystore, keystorePass, keyPass, keystoreType, - truststore, truststorePass, truststoreType, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - return SslContextFactory.createSslContext(tlsConfiguration, SslContextFactory.ClientAuth.REQUIRED); + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystore, keystorePass, keyPass, keystoreType, + truststore, truststorePass, truststoreType, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED); } catch (final Exception e) { throw new RuntimeException("Failed to create Keystore", e); } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java index e53c7859229b..6fc9af9a31ab 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java @@ -73,8 +73,8 @@ import org.apache.nifi.nar.StandardExtensionDiscoveringManager; import org.apache.nifi.nar.StandardNarLoader; import org.apache.nifi.processor.DataUnit; -import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.services.FlowService; import org.apache.nifi.ui.extension.UiExtension; import org.apache.nifi.ui.extension.UiExtensionMapping; @@ -982,7 +982,7 @@ private SslContextFactory createSslContextFactory() { protected static void configureSslContextFactory(SslContextFactory.Server contextFactory, NiFiProperties props) { // Explicitly exclude legacy TLS protocol versions - contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions()); + contextFactory.setIncludeProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()); contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3"); // require client auth when not supporting login, Kerberos service, or anonymous access diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy index 054ad080b8c5..23f615821c8c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy @@ -24,7 +24,7 @@ import org.apache.nifi.nar.ExtensionMapping import org.apache.nifi.nar.SystemBundle import org.apache.nifi.processor.DataUnit import org.apache.nifi.properties.StandardNiFiProperties -import org.apache.nifi.security.util.CertificateUtils +import org.apache.nifi.security.util.StandardTlsConfiguration import org.apache.nifi.security.util.TlsConfiguration import org.apache.nifi.util.NiFiProperties import org.bouncycastle.jce.provider.BouncyCastleProvider @@ -84,8 +84,8 @@ class JettyServerGroovyTest extends GroovyTestCase { private static final List TLS_1_3_CIPHER_SUITES = ["TLS_AES_128_GCM_SHA256"] // Depending if the test is run on Java 8 or Java 11, these values change (TLSv1.2 vs. TLSv1.3) - private static final CURRENT_TLS_PROTOCOL_VERSION = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion() - private static final List CURRENT_TLS_PROTOCOL_VERSIONS = CertificateUtils.getCurrentSupportedTlsProtocolVersions() + private static final CURRENT_TLS_PROTOCOL_VERSION = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion() + private static final List CURRENT_TLS_PROTOCOL_VERSIONS = TlsConfiguration.getCurrentSupportedTlsProtocolVersions() // These protocol versions should not ever be supported static private final List LEGACY_TLS_PROTOCOLS = ["TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3"] @@ -344,7 +344,7 @@ class JettyServerGroovyTest extends GroovyTestCase { @Test void testShouldSupportTLSv1_3OnJava11() { // Arrange - Assume.assumeTrue("This test should only run on Java 11+", CertificateUtils.getJavaVersion() >= 11) + Assume.assumeTrue("This test should only run on Java 11+", TlsConfiguration.getJavaVersion() >= 11) Server internalServer = new Server() JettyServer jetty = new JettyServer(internalServer, httpsProps) @@ -354,7 +354,7 @@ class JettyServerGroovyTest extends GroovyTestCase { internalServer.start() // Create a (client) socket which only supports TLSv1.3 - TlsConfiguration tls13ClientConf = TlsConfiguration.fromNiFiProperties(httpsProps) + TlsConfiguration tls13ClientConf = StandardTlsConfiguration.fromNiFiProperties(httpsProps) SSLSocketFactory socketFactory = org.apache.nifi.security.util.SslContextFactory.createSSLSocketFactory(tls13ClientConf) SSLSocket socket = (SSLSocket) socketFactory.createSocket(HTTPS_HOSTNAME, HTTPS_PORT) @@ -386,7 +386,7 @@ class JettyServerGroovyTest extends GroovyTestCase { List connectors = Arrays.asList(internalServer.connectors) internalServer.start() - TlsConfiguration tlsConfiguration = TlsConfiguration.fromNiFiProperties(httpsProps) + TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(httpsProps) // Create a "default" (client) socket (which supports TLSv1.2) SSLSocketFactory defaultSocketFactory = org.apache.nifi.security.util.SslContextFactory.createSSLSocketFactory(tlsConfiguration) @@ -440,7 +440,7 @@ class JettyServerGroovyTest extends GroovyTestCase { def isZulu = vendor =~ ZULU_RE || vendorVersion =~ ZULU_RE logger.info("Vendor is Azul/Zulu: ${isZulu}") - def majorJavaVersion = CertificateUtils.getJavaVersion() + def majorJavaVersion = TlsConfiguration.getJavaVersion() logger.info("Detected major Java version: ${majorJavaVersion}") // JDK 8 update 262 adds TLS 1.3 support to Java 8, and the Azul vendor throws a different exception than expected @@ -476,8 +476,8 @@ class JettyServerGroovyTest extends GroovyTestCase { private static void assertServerConnector(List connectors, String EXPECTED_TLS_PROTOCOL = "TLS", - List EXPECTED_INCLUDED_PROTOCOLS = CertificateUtils.getCurrentSupportedTlsProtocolVersions(), - List EXPECTED_SELECTED_PROTOCOLS = CertificateUtils.getCurrentSupportedTlsProtocolVersions(), + List EXPECTED_INCLUDED_PROTOCOLS = TlsConfiguration.getCurrentSupportedTlsProtocolVersions(), + List EXPECTED_SELECTED_PROTOCOLS = TlsConfiguration.getCurrentSupportedTlsProtocolVersions(), String EXPECTED_HOSTNAME = HTTPS_HOSTNAME, int EXPECTED_PORT = HTTPS_PORT) { // Assert the server connector is correct diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/OneWaySslAccessControlHelper.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/OneWaySslAccessControlHelper.java index cf9721fff98f..6faf991d0209 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/OneWaySslAccessControlHelper.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/OneWaySslAccessControlHelper.java @@ -31,6 +31,7 @@ import org.apache.nifi.nar.StandardExtensionDiscoveringManager; import org.apache.nifi.nar.SystemBundle; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.web.util.WebUtils; @@ -40,13 +41,13 @@ */ public class OneWaySslAccessControlHelper { - private NiFiTestUser user; + private final NiFiTestUser user; private static final String CONTEXT_PATH = "/nifi-api"; private NiFiTestServer server; - private String baseUrl; - private String flowXmlPath; + private final String baseUrl; + private final String flowXmlPath; public OneWaySslAccessControlHelper() throws Exception { this("src/test/resources/access-control/nifi.properties"); @@ -90,7 +91,7 @@ public OneWaySslAccessControlHelper(final String nifiPropertiesPath) throws Exce baseUrl = server.getBaseUrl() + CONTEXT_PATH; // Create a TlsConfiguration for the truststore properties only - TlsConfiguration trustOnlyTlsConfiguration = TlsConfiguration.fromNiFiPropertiesTruststoreOnly(props); + TlsConfiguration trustOnlyTlsConfiguration = StandardTlsConfiguration.fromNiFiPropertiesTruststoreOnly(props); // create the user final Client client = WebUtils.createClient(null, SslContextFactory.createSslContext(trustOnlyTlsConfiguration)); diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestServer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestServer.java index e61dbaea216f..1fdab5db2483 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestServer.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestServer.java @@ -21,7 +21,7 @@ import javax.servlet.ServletContext; import javax.ws.rs.client.Client; import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.services.FlowService; import org.apache.nifi.ui.extension.UiExtensionMapping; @@ -168,7 +168,7 @@ public String getBaseUrl() { } public Client getClient() throws TlsException { - return WebUtils.createClient(null, org.apache.nifi.security.util.SslContextFactory.createSslContext(TlsConfiguration.fromNiFiProperties(properties))); + return WebUtils.createClient(null, org.apache.nifi.security.util.SslContextFactory.createSslContext(StandardTlsConfiguration.fromNiFiProperties(properties))); } /** diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java index 42e30e8630c9..2f111f36d3c8 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/ocsp/OcspCertificateValidator.java @@ -44,6 +44,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.nifi.security.util.KeyStoreUtils; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.util.FormatUtils; import org.apache.nifi.util.NiFiProperties; @@ -107,7 +108,7 @@ public OcspCertificateValidator(final NiFiProperties properties) { // initialize the client if (HTTPS.equalsIgnoreCase(validationAuthorityURI.getScheme())) { - TlsConfiguration tlsConfiguration = TlsConfiguration.fromNiFiProperties(properties); + TlsConfiguration tlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties); client = WebUtils.createClient(clientConfig, SslContextFactory.createSslContext(tlsConfiguration)); } else { client = WebUtils.createClient(clientConfig); diff --git a/nifi-nar-bundles/nifi-framework-bundle/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/pom.xml index 64f1e0df8b65..d09bebaf9de6 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/pom.xml @@ -53,6 +53,11 @@ nifi-security-utils 1.13.0-SNAPSHOT + + org.apache.nifi + nifi-security-utils-api + 1.13.0-SNAPSHOT + org.apache.nifi nifi-expression-language diff --git a/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/InvokeGRPC.java b/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/InvokeGRPC.java index 582ff9e38654..1b9d087aed45 100644 --- a/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/InvokeGRPC.java +++ b/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/InvokeGRPC.java @@ -58,7 +58,7 @@ import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; @EventDriven @@ -240,7 +240,7 @@ public void initializeClient(final ProcessContext context) throws Exception { // configure whether or not we're using secure comms final boolean useSecure = context.getProperty(PROP_USE_SECURE).asBoolean(); final SSLContextService sslContextService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); - final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE); + final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.NONE); if (useSecure && sslContext != null) { SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient(); diff --git a/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/ListenGRPC.java b/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/ListenGRPC.java index f34d1bc42e69..f9e8616969fa 100644 --- a/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/ListenGRPC.java +++ b/nifi-nar-bundles/nifi-grpc-bundle/nifi-grpc-processors/src/main/java/org/apache/nifi/processors/grpc/ListenGRPC.java @@ -23,7 +23,6 @@ import io.grpc.ServerInterceptors; import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.NettyServerBuilder; -import io.netty.handler.ssl.ClientAuth; import io.netty.handler.ssl.SslContextBuilder; import java.io.FileInputStream; import java.io.IOException; @@ -60,7 +59,6 @@ import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @@ -171,7 +169,7 @@ public void startServer(final ProcessContext context) throws NoSuchAlgorithmExce final Integer flowControlWindow = context.getProperty(PROP_FLOW_CONTROL_WINDOW).asDataSize(DataUnit.B).intValue(); final Integer maxMessageSize = context.getProperty(PROP_MAX_MESSAGE_SIZE).asDataSize(DataUnit.B).intValue(); final SSLContextService sslContextService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); - final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE); + final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE); final Pattern authorizedDnPattern = Pattern.compile(context.getProperty(PROP_AUTHORIZED_DN_PATTERN).getValue()); final FlowFileIngestServiceInterceptor callInterceptor = new FlowFileIngestServiceInterceptor(getLogger()); callInterceptor.enforceDNPattern(authorizedDnPattern); @@ -213,9 +211,9 @@ public void startServer(final ProcessContext context) throws NoSuchAlgorithmExce } trustManagerFactory.init(trustStore); sslContextBuilder = sslContextBuilder.trustManager(trustManagerFactory); - sslContextBuilder = sslContextBuilder.clientAuth(ClientAuth.REQUIRE); + sslContextBuilder = sslContextBuilder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE); } else { - sslContextBuilder = sslContextBuilder.clientAuth(ClientAuth.NONE); + sslContextBuilder = sslContextBuilder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE); } sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder); serverBuilder = serverBuilder.sslContext(sslContextBuilder.build()); diff --git a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryHandler.java b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryHandler.java index fe775003a963..288da8d22357 100644 --- a/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryHandler.java +++ b/nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryHandler.java @@ -31,7 +31,7 @@ import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.ProcessContext; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; /** diff --git a/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers-nar/pom.xml b/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers-nar/pom.xml index 87156b972836..58897c6751d3 100644 --- a/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers-nar/pom.xml +++ b/nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers-nar/pom.xml @@ -31,6 +31,12 @@ org.apache.nifi nifi-kerberos-iaa-providers + + + org.apache.nifi + nifi-security-utils-api + compile + nifi-kerberos-iaa-providers-nar \ No newline at end of file diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers-nar/pom.xml b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers-nar/pom.xml index c20c74ed3d51..e1b9a0cb2986 100644 --- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers-nar/pom.xml +++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers-nar/pom.xml @@ -31,6 +31,12 @@ org.apache.nifi nifi-ldap-iaa-providers + + + org.apache.nifi + nifi-security-utils-api + compile + nifi-ldap-iaa-providers-nar \ No newline at end of file diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java index 4570fafa536a..2547e73eecb5 100644 --- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java +++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java @@ -16,6 +16,11 @@ */ package org.apache.nifi.ldap; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.TimeUnit; +import javax.naming.Context; +import javax.net.ssl.SSLContext; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.authentication.AuthenticationResponse; import org.apache.nifi.authentication.LoginCredentials; @@ -27,8 +32,9 @@ import org.apache.nifi.authentication.exception.ProviderCreationException; import org.apache.nifi.authentication.exception.ProviderDestructionException; import org.apache.nifi.configuration.NonComponentConfigurationContext; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.util.FormatUtils; @@ -50,12 +56,6 @@ import org.springframework.security.ldap.search.LdapUserSearch; import org.springframework.security.ldap.userdetails.LdapUserDetails; -import javax.naming.Context; -import javax.net.ssl.SSLContext; -import java.util.HashMap; -import java.util.Map; -import java.util.concurrent.TimeUnit; - /** * Abstract LDAP based implementation of a login identity provider. */ @@ -257,7 +257,8 @@ public static SSLContext getConfiguredSslContext(final NonComponentConfiguration final String rawProtocol = configurationContext.getProperty("TLS - Protocol"); try { - TlsConfiguration tlsConfiguration = new TlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType, rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol); + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType, + rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol); ClientAuth clientAuth = ClientAuth.isValidClientAuthType(rawClientAuth) ? ClientAuth.valueOf(rawClientAuth) : ClientAuth.NONE; return SslContextFactory.createSslContext(tlsConfiguration, clientAuth); } catch (TlsException e) { @@ -313,4 +314,4 @@ public final AuthenticationResponse authenticate(final LoginCredentials credenti public final void preDestruction() throws ProviderDestructionException { } -} +} \ No newline at end of file diff --git a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java index 9d4bab0c1483..a542f945d6e3 100644 --- a/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java +++ b/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java @@ -52,8 +52,9 @@ import org.apache.nifi.ldap.LdapAuthenticationStrategy; import org.apache.nifi.ldap.LdapsSocketFactory; import org.apache.nifi.ldap.ReferralStrategy; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.util.FormatUtils; @@ -118,7 +119,7 @@ public class LdapUserGroupProvider implements UserGroupProvider { private NiFiProperties properties; private ScheduledExecutorService ldapSync; - private AtomicReference tenants = new AtomicReference<>(null); + private final AtomicReference tenants = new AtomicReference<>(null); private String userSearchBase; private SearchScope userSearchScope; @@ -824,7 +825,8 @@ private SSLContext getConfiguredSslContext(final AuthorizerConfigurationContext final String rawProtocol = configurationContext.getProperty("TLS - Protocol").getValue(); try { - TlsConfiguration tlsConfiguration = new TlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType, rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol); + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType, + rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol); ClientAuth clientAuth = ClientAuth.isValidClientAuthType(rawClientAuth) ? ClientAuth.valueOf(rawClientAuth) : ClientAuth.NONE; return SslContextFactory.createSslContext(tlsConfiguration, clientAuth); } catch (TlsException e) { diff --git a/nifi-nar-bundles/nifi-lumberjack-bundle/nifi-lumberjack-processors/src/main/java/org/apache/nifi/processors/lumberjack/ListenLumberjack.java b/nifi-nar-bundles/nifi-lumberjack-bundle/nifi-lumberjack-processors/src/main/java/org/apache/nifi/processors/lumberjack/ListenLumberjack.java index ec9ffded7dce..7ff65ee0a1c2 100644 --- a/nifi-nar-bundles/nifi-lumberjack-bundle/nifi-lumberjack-processors/src/main/java/org/apache/nifi/processors/lumberjack/ListenLumberjack.java +++ b/nifi-nar-bundles/nifi-lumberjack-bundle/nifi-lumberjack-processors/src/main/java/org/apache/nifi/processors/lumberjack/ListenLumberjack.java @@ -57,7 +57,7 @@ import org.apache.nifi.processors.lumberjack.handler.LumberjackSocketChannelHandlerFactory; import org.apache.nifi.processors.lumberjack.response.LumberjackChannelResponse; import org.apache.nifi.processors.lumberjack.response.LumberjackResponse; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @@ -141,7 +141,7 @@ protected ChannelDispatcher createDispatcher(final ProcessContext context, final SSLContext sslContext = null; final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); if (sslContextService != null) { - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); } // if we decide to support SSL then get the context and pass it in here diff --git a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/pom.xml b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/pom.xml index 58b8092271f5..691bf0451069 100644 --- a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/pom.xml +++ b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/pom.xml @@ -44,7 +44,6 @@ org.apache.nifi nifi-ssl-context-service-api - compile org.apache.nifi diff --git a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/src/main/java/org/apache/nifi/mongodb/MongoDBClientService.java b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/src/main/java/org/apache/nifi/mongodb/MongoDBClientService.java index e00bed49d254..76cf543865c4 100644 --- a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/src/main/java/org/apache/nifi/mongodb/MongoDBClientService.java +++ b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-client-service-api/src/main/java/org/apache/nifi/mongodb/MongoDBClientService.java @@ -24,7 +24,7 @@ import org.apache.nifi.controller.ControllerService; import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.bson.Document; @@ -59,7 +59,7 @@ public interface MongoDBClientService extends ControllerService { + "Possible values are REQUIRED, WANT, NONE. This property is only used when an SSL Context " + "has been defined and enabled.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) + .allowableValues(ClientAuth.values()) .defaultValue("REQUIRED") .build(); diff --git a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/main/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessor.java b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/main/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessor.java index 524f6fb33956..79cd1d65efbc 100644 --- a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/main/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessor.java +++ b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/main/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessor.java @@ -54,7 +54,7 @@ import org.apache.nifi.processor.Relationship; import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.bson.Document; @@ -135,7 +135,7 @@ public abstract class AbstractMongoProcessor extends AbstractProcessor { + "Possible values are REQUIRED, WANT, NONE. This property is only used when an SSL Context " + "has been defined and enabled.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) + .allowableValues(ClientAuth.values()) .defaultValue("REQUIRED") .build(); @@ -245,15 +245,15 @@ public final void createClient(ProcessContext context) throws IOException { final SSLContext sslContext; if (sslService != null) { - final SslContextFactory.ClientAuth clientAuth; + final ClientAuth clientAuth; if (StringUtils.isBlank(rawClientAuth)) { - clientAuth = SslContextFactory.ClientAuth.REQUIRED; + clientAuth = ClientAuth.REQUIRED; } else { try { - clientAuth = SslContextFactory.ClientAuth.valueOf(rawClientAuth); + clientAuth = ClientAuth.valueOf(rawClientAuth); } catch (final IllegalArgumentException iae) { throw new IllegalStateException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", - rawClientAuth, StringUtils.join(SslContextFactory.ClientAuth.values(), ", "))); + rawClientAuth, StringUtils.join(ClientAuth.values(), ", "))); } } sslContext = sslService.createSSLContext(clientAuth); diff --git a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/test/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessorTest.java b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/test/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessorTest.java index 8489af05f1e0..d8b86162d6eb 100644 --- a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/test/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessorTest.java +++ b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/test/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessorTest.java @@ -27,7 +27,7 @@ import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.ProcessSession; import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.TestRunner; import org.apache.nifi.util.TestRunners; diff --git a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-services/src/main/java/org/apache/nifi/mongodb/MongoDBControllerService.java b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-services/src/main/java/org/apache/nifi/mongodb/MongoDBControllerService.java index 252e0d179bb1..bb3a4eee17b1 100644 --- a/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-services/src/main/java/org/apache/nifi/mongodb/MongoDBControllerService.java +++ b/nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-services/src/main/java/org/apache/nifi/mongodb/MongoDBControllerService.java @@ -34,7 +34,7 @@ import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.ConfigurationContext; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; @Tags({"mongo", "mongodb", "service"}) @@ -61,6 +61,7 @@ public void onEnabled(final ConfigurationContext context) { protected MongoClient mongoClient; + // TODO: Remove duplicate code by refactoring shared method to accept PropertyContext protected final void createClient(ConfigurationContext context) { if (mongoClient != null) { closeClient(); @@ -74,15 +75,15 @@ protected final void createClient(ConfigurationContext context) { final SSLContext sslContext; if (sslService != null) { - final SslContextFactory.ClientAuth clientAuth; + final ClientAuth clientAuth; if (StringUtils.isBlank(rawClientAuth)) { - clientAuth = SslContextFactory.ClientAuth.REQUIRED; + clientAuth = ClientAuth.REQUIRED; } else { try { - clientAuth = SslContextFactory.ClientAuth.valueOf(rawClientAuth); + clientAuth = ClientAuth.valueOf(rawClientAuth); } catch (final IllegalArgumentException iae) { throw new IllegalStateException(String.format("Unrecognized client auth '%s'. Possible values are [%s]", - rawClientAuth, StringUtils.join(SslContextFactory.ClientAuth.values(), ", "))); + rawClientAuth, StringUtils.join(ClientAuth.values(), ", "))); } } sslContext = sslService.createSSLContext(clientAuth); diff --git a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/s2s/SiteToSiteUtils.java b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/s2s/SiteToSiteUtils.java index 8d6f10c64137..3d6f3473a5a1 100644 --- a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/s2s/SiteToSiteUtils.java +++ b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/s2s/SiteToSiteUtils.java @@ -33,7 +33,7 @@ import org.apache.nifi.remote.protocol.http.HttpProxy; import org.apache.nifi.remote.util.SiteToSiteRestApiClient; import org.apache.nifi.reporting.ReportingContext; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.StringUtils; @@ -147,7 +147,7 @@ public class SiteToSiteUtils { public static SiteToSiteClient getClient(PropertyContext reportContext, ComponentLog logger, StateManager stateManager) { final SSLContextService sslContextService = reportContext.getProperty(SiteToSiteUtils.SSL_CONTEXT).asControllerService(SSLContextService.class); - final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.REQUIRED); final EventReporter eventReporter = (EventReporter) (severity, category, message) -> { switch (severity) { case WARNING: diff --git a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java index af1f2a49755f..5f8a51af2a53 100644 --- a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java +++ b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java @@ -55,7 +55,7 @@ import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.io.OutputStreamCallback; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.serialization.RecordSetWriterFactory; import org.apache.nifi.serialization.record.DataType; import org.apache.nifi.serialization.record.ListRecordSet; @@ -251,7 +251,7 @@ public static synchronized SolrClient createSolrClient(final PropertyContext con } if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); final SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext); HttpClientUtil.setSchemaRegistryProvider(new HttpClientUtil.SchemaRegistryProvider() { @Override @@ -326,7 +326,7 @@ public static OutputStreamCallback getOutputStreamCallbackToTransformSolrRespons * Writes each SolrDocument in XML format to the OutputStream. */ private static class QueryResponseOutputStreamCallback implements OutputStreamCallback { - private QueryResponse response; + private final QueryResponse response; public QueryResponseOutputStreamCallback(QueryResponse response) { this.response = response; diff --git a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java index f4e1222a499b..fd66a6159b71 100644 --- a/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java +++ b/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java @@ -19,7 +19,6 @@ import javax.net.ssl.SSLContext; import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.SSLContextService; @@ -29,13 +28,19 @@ * // TODO: Remove and use regular mocking or Groovy rather than shell implementation */ public class MockSSLContextService extends AbstractControllerService implements SSLContextService { + @Override public TlsConfiguration createTlsConfiguration() { return null; } @Override - public SSLContext createSSLContext(SslContextFactory.ClientAuth clientAuth) throws ProcessException { + public SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { + return null; + } + + @Override + public SSLContext createSSLContext(SSLContextService.ClientAuth clientAuth) throws ProcessException { return null; } diff --git a/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java b/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java index 7a9cf572887a..44a1fd5d493c 100644 --- a/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java +++ b/nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java @@ -76,7 +76,7 @@ import org.apache.nifi.kerberos.KerberosCredentialsService; import org.apache.nifi.logging.ComponentLog; import org.apache.nifi.processor.util.StandardValidators; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jettison.json.JSONException; @@ -182,7 +182,7 @@ public class LivySessionController extends AbstractControllerService implements private volatile String controllerKind; private volatile String jars; private volatile String files; - private volatile Map sessions = new ConcurrentHashMap<>(); + private final Map sessions = new ConcurrentHashMap<>(); private volatile SSLContextService sslContextService; private volatile SSLContext sslContext; private volatile int connectTimeout; @@ -225,7 +225,7 @@ public void onConfigured(final ConfigurationContext context) { final String jars = context.getProperty(JARS).evaluateAttributeExpressions().getValue(); final String files = context.getProperty(FILES).evaluateAttributeExpressions().getValue(); sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); - sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE); + sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.NONE); connectTimeout = Math.toIntExact(context.getProperty(CONNECT_TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS)); credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class); diff --git a/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java b/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java index 45c47072f0c1..7e15c1470cd6 100644 --- a/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java +++ b/nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java @@ -45,7 +45,7 @@ import org.apache.nifi.processor.io.InputStreamCallback; import org.apache.nifi.processor.util.put.AbstractPutEventProcessor; import org.apache.nifi.processor.util.put.sender.ChannelSender; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.stream.io.ByteCountingInputStream; import org.apache.nifi.stream.io.StreamUtils; @@ -120,7 +120,7 @@ protected ChannelSender createSender(ProcessContext context) throws IOException SSLContext sslContext = null; if (sslContextService != null) { - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); } return createSender(protocol, host, port, timeout, maxSendBuffer, sslContext); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java index b20736285567..54a9bda6ef60 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java @@ -98,8 +98,8 @@ import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.standard.util.HTTPUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.KeyStoreUtils; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.StopWatch; import org.apache.nifi.util.Tuple; @@ -241,7 +241,7 @@ public class GetHTTP extends AbstractSessionFactoryProcessor { private Set relationships; private List properties; - private volatile List customHeaders = new ArrayList<>(); + private final List customHeaders = new ArrayList<>(); private final AtomicBoolean clearState = new AtomicBoolean(false); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java index d1e6cacd638b..09a68eb35bd0 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java @@ -57,7 +57,7 @@ import org.apache.nifi.processors.standard.relp.handler.RELPSocketChannelHandlerFactory; import org.apache.nifi.processors.standard.relp.response.RELPChannelResponse; import org.apache.nifi.processors.standard.relp.response.RELPResponse; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @@ -90,8 +90,8 @@ public class ListenRELP extends AbstractListenEventBatchingProcessor .displayName("Client Auth") .description("The client authentication policy to use for the SSL Context. Only used if an SSL Context Service is provided.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) - .defaultValue(SslContextFactory.ClientAuth.REQUIRED.name()) + .allowableValues(ClientAuth.values()) + .defaultValue(ClientAuth.REQUIRED.name()) .build(); private volatile RELPEncoder relpEncoder; @@ -139,13 +139,13 @@ protected ChannelDispatcher createDispatcher(final ProcessContext context, final // if an SSLContextService was provided then create an SSLContext to pass down to the dispatcher SSLContext sslContext = null; - SslContextFactory.ClientAuth clientAuth = null; + ClientAuth clientAuth = null; final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); if (sslContextService != null) { final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue(); - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.valueOf(clientAuthValue)); - clientAuth = SslContextFactory.ClientAuth.valueOf(clientAuthValue); + sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue)); + clientAuth = ClientAuth.valueOf(clientAuthValue); } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java index a4d623bd7a70..77a9a2800799 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java @@ -70,7 +70,7 @@ import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; import org.apache.nifi.processor.util.listen.handler.socket.SocketChannelHandlerFactory; import org.apache.nifi.processor.util.listen.response.ChannelResponder; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.syslog.attributes.SyslogAttributes; @@ -184,8 +184,8 @@ public class ListenSyslog extends AbstractSyslogProcessor { .displayName("Client Auth") .description("The client authentication policy to use for the SSL Context. Only used if an SSL Context Service is provided.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) - .defaultValue(SslContextFactory.ClientAuth.REQUIRED.name()) + .allowableValues(ClientAuth.values()) + .defaultValue(ClientAuth.REQUIRED.name()) .build(); public static final Relationship REL_SUCCESS = new Relationship.Builder() @@ -204,7 +204,7 @@ public class ListenSyslog extends AbstractSyslogProcessor { private volatile SyslogParser parser; private volatile BlockingQueue bufferPool; private volatile BlockingQueue syslogEvents; - private volatile BlockingQueue errorEvents = new LinkedBlockingQueue<>(); + private final BlockingQueue errorEvents = new LinkedBlockingQueue<>(); private volatile byte[] messageDemarcatorBytes; //it is only the array reference that is volatile - not the contents. @Override @@ -345,12 +345,12 @@ protected ChannelDispatcher createChannelReader(final ProcessContext context, fi } else { // if an SSLContextService was provided then create an SSLContext to pass down to the dispatcher SSLContext sslContext = null; - SslContextFactory.ClientAuth clientAuth = null; + ClientAuth clientAuth = null; if (sslContextService != null) { final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue(); - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.valueOf(clientAuthValue)); - clientAuth = SslContextFactory.ClientAuth.valueOf(clientAuthValue); + sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue)); + clientAuth = ClientAuth.valueOf(clientAuthValue); } final ChannelHandlerFactory, AsyncChannelDispatcher> handlerFactory = new SocketChannelHandlerFactory<>(); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java index 61a962471b33..8359221283dd 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java @@ -49,7 +49,7 @@ import org.apache.nifi.processor.util.listen.event.StandardEventFactory; import org.apache.nifi.processor.util.listen.handler.ChannelHandlerFactory; import org.apache.nifi.processor.util.listen.handler.socket.SocketChannelHandlerFactory; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; @@ -79,8 +79,8 @@ public class ListenTCP extends AbstractListenEventBatchingProcessor eventFactory = new StandardEventFactory(); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCPRecord.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCPRecord.java index 100711696caa..5aad87cdc55c 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCPRecord.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCPRecord.java @@ -64,7 +64,7 @@ import org.apache.nifi.processor.util.listen.ListenerProperties; import org.apache.nifi.record.listen.SocketChannelRecordReader; import org.apache.nifi.record.listen.SocketChannelRecordReaderDispatcher; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.serialization.RecordReader; import org.apache.nifi.serialization.RecordReaderFactory; import org.apache.nifi.serialization.RecordSetWriter; @@ -190,8 +190,8 @@ public class ListenTCPRecord extends AbstractProcessor { .displayName("Client Auth") .description("The client authentication policy to use for the SSL Context. Only used if an SSL Context Service is provided.") .required(false) - .allowableValues(SslContextFactory.ClientAuth.values()) - .defaultValue(SslContextFactory.ClientAuth.REQUIRED.name()) + .allowableValues(ClientAuth.values()) + .defaultValue(ClientAuth.REQUIRED.name()) .build(); static final Relationship REL_SUCCESS = new Relationship.Builder() @@ -228,7 +228,7 @@ public class ListenTCPRecord extends AbstractProcessor { private volatile int port; private volatile SocketChannelRecordReaderDispatcher dispatcher; - private volatile BlockingQueue socketReaders = new LinkedBlockingQueue<>(); + private final BlockingQueue socketReaders = new LinkedBlockingQueue<>(); @Override public Set getRelationships() { @@ -276,12 +276,12 @@ public void onScheduled(final ProcessContext context) throws IOException { } SSLContext sslContext = null; - SslContextFactory.ClientAuth clientAuth = null; + ClientAuth clientAuth = null; final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class); if (sslContextService != null) { final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue(); - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.valueOf(clientAuthValue)); - clientAuth = SslContextFactory.ClientAuth.valueOf(clientAuthValue); + sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue)); + clientAuth = ClientAuth.valueOf(clientAuthValue); } // create a ServerSocketChannel in non-blocking mode and bind to the given address and port diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutSyslog.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutSyslog.java index dae38351c1ce..3691770ed3bf 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutSyslog.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutSyslog.java @@ -54,7 +54,7 @@ import org.apache.nifi.processor.util.put.sender.DatagramChannelSender; import org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender; import org.apache.nifi.processor.util.put.sender.SocketChannelSender; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.syslog.parsers.SyslogParser; import org.apache.nifi.util.StopWatch; @@ -249,7 +249,7 @@ protected ChannelSender createSender(final SSLContextService sslContextService, } else { // if an SSLContextService is provided then we make a secure sender if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); sender = new SSLSocketChannelSender(host, port, maxSendBufferSize, sslContext, getLogger()); } else { sender = new SocketChannelSender(host, port, maxSendBufferSize, getLogger()); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutTCP.java index de28fac99400..798fb5ca5a41 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutTCP.java @@ -42,7 +42,7 @@ import org.apache.nifi.processor.util.put.AbstractPutEventProcessor; import org.apache.nifi.processor.util.put.sender.ChannelSender; import org.apache.nifi.processor.util.put.sender.SocketChannelSender; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.util.StopWatch; @@ -115,7 +115,7 @@ protected ChannelSender createSender(final ProcessContext context) throws IOExce SSLContext sslContext = null; if (sslContextService != null) { - sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); } return createSender(protocol, hostname, port, timeout, bufferSize, sslContext); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy index a01874d823b9..58b6293a27a4 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy @@ -366,7 +366,7 @@ class TestGetHTTPGroovy extends GroovyTestCase { runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, KEYSTORE_TYPE) runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, protocol) runner.enableControllerService(sslContextService) - def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.SslContextFactory.ClientAuth.NONE) + def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE) logger.info("GetHTTP supported protocols: ${sslContext.protocol}") logger.info("GetHTTP supported cipher suites: ${sslContext.supportedSSLParameters.cipherSuites}") } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy index 8b96bdc18990..73519435a3f8 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy @@ -330,7 +330,7 @@ class TestPostHTTPGroovy extends GroovyTestCase { runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, KEYSTORE_TYPE) runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, protocol) runner.enableControllerService(sslContextService) - def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.SslContextFactory.ClientAuth.NONE) + def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE) logger.info("PostHTTP supported protocols: ${sslContext.protocol}") logger.info("PostHTTP supported cipher suites: ${sslContext.supportedSSLParameters.cipherSuites}") } diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ITestHandleHttpRequest.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ITestHandleHttpRequest.java index 93510ee3a9c4..ece1a93b964c 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ITestHandleHttpRequest.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ITestHandleHttpRequest.java @@ -59,8 +59,9 @@ import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processors.standard.util.HTTPUtils; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.StandardRestrictedSSLContextService; @@ -105,7 +106,7 @@ private static Map getServerKeystoreProperties() { return properties; } - private static SSLContext useSSLContextService(final TestRunner controller, final Map sslProperties, SslContextFactory.ClientAuth clientAuth) { + private static SSLContext useSSLContextService(final TestRunner controller, final Map sslProperties, ClientAuth clientAuth) { final SSLContextService service = new StandardRestrictedSSLContextService(); try { controller.addControllerService("ssl-service", service, sslProperties); @@ -121,10 +122,10 @@ private static SSLContext useSSLContextService(final TestRunner controller, fina @Before public void setUp() throws Exception { - clientTlsConfiguration = new TlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, - TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - trustOnlyTlsConfiguration = new TlsConfiguration(null, null, null, null, - TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + clientTlsConfiguration = new StandardTlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, + TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + trustOnlyTlsConfiguration = new StandardTlsConfiguration(null, null, null, null, + TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); } @After @@ -580,8 +581,8 @@ private void secureTest(boolean twoWaySsl) throws Exception { final Map sslProperties = getServerKeystoreProperties(); sslProperties.putAll(getTruststoreProperties()); - sslProperties.put(StandardSSLContextService.SSL_ALGORITHM.getName(), CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - useSSLContextService(runner, sslProperties, twoWaySsl ? SslContextFactory.ClientAuth.REQUIRED : SslContextFactory.ClientAuth.NONE); + sslProperties.put(StandardSSLContextService.SSL_ALGORITHM.getName(), TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + useSSLContextService(runner, sslProperties, twoWaySsl ? ClientAuth.REQUIRED : ClientAuth.NONE); final Thread httpThread = new Thread(new Runnable() { @Override diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenHTTP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenHTTP.java index e2e90115556e..4fc8661627d5 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenHTTP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenHTTP.java @@ -46,8 +46,8 @@ import org.apache.nifi.processor.ProcessSessionFactory; import org.apache.nifi.remote.io.socket.NetworkUtils; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.ssl.SSLContextService; @@ -106,10 +106,10 @@ public void setup() throws IOException { runner.setVariable(PORT_VARIABLE, Integer.toString(availablePort)); runner.setVariable(BASEPATH_VARIABLE, HTTP_BASE_PATH); - clientTlsConfiguration = new TlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, - TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); - trustOnlyTlsConfiguration = new TlsConfiguration(null, null, null, null, - TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + clientTlsConfiguration = new StandardTlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, + TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + trustOnlyTlsConfiguration = new StandardTlsConfiguration(null, null, null, null, + TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); } @After @@ -157,7 +157,7 @@ public void testPOSTRequestsReturnCodeReceivedWithEL() throws Exception { @Test public void testSecurePOSTRequestsReceivedWithoutEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(false); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -170,7 +170,7 @@ public void testSecurePOSTRequestsReceivedWithoutEL() throws Exception { @Test public void testSecurePOSTRequestsReturnCodeReceivedWithoutEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(false); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -184,7 +184,7 @@ public void testSecurePOSTRequestsReturnCodeReceivedWithoutEL() throws Exception @Test public void testSecurePOSTRequestsReceivedWithEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(false); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, HTTP_SERVER_PORT_EL); @@ -197,7 +197,7 @@ public void testSecurePOSTRequestsReceivedWithEL() throws Exception { @Test public void testSecurePOSTRequestsReturnCodeReceivedWithEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(false); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -211,7 +211,7 @@ public void testSecurePOSTRequestsReturnCodeReceivedWithEL() throws Exception { @Test public void testSecureTwoWaySslPOSTRequestsReceivedWithoutEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(true); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -224,7 +224,7 @@ public void testSecureTwoWaySslPOSTRequestsReceivedWithoutEL() throws Exception @Test public void testSecureTwoWaySslPOSTRequestsReturnCodeReceivedWithoutEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(true); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -238,7 +238,7 @@ public void testSecureTwoWaySslPOSTRequestsReturnCodeReceivedWithoutEL() throws @Test public void testSecureTwoWaySslPOSTRequestsReceivedWithEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(true); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, HTTP_SERVER_PORT_EL); @@ -251,7 +251,7 @@ public void testSecureTwoWaySslPOSTRequestsReceivedWithEL() throws Exception { @Test public void testSecureTwoWaySslPOSTRequestsReturnCodeReceivedWithEL() throws Exception { SSLContextService sslContextService = configureProcessorSslContextService(true); - runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardRestrictedSSLContextService.RESTRICTED_SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, Integer.toString(availablePort)); @@ -265,7 +265,7 @@ public void testSecureTwoWaySslPOSTRequestsReturnCodeReceivedWithEL() throws Exc @Test public void testSecureInvalidSSLConfiguration() throws Exception { SSLContextService sslContextService = configureInvalidProcessorSslContextService(); - runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); runner.enableControllerService(sslContextService); runner.setProperty(ListenHTTP.PORT, HTTP_SERVER_PORT_EL); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java index f651f363aace..aa6f6baeac64 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java @@ -38,7 +38,7 @@ import org.apache.nifi.provenance.ProvenanceEventRecord; import org.apache.nifi.provenance.ProvenanceEventType; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; import org.apache.nifi.util.MockFlowFile; @@ -226,7 +226,7 @@ protected void run(final List frames, final int expectedTransferred, // create either a regular socket or ssl socket based on context being passed in if (sslContextService != null) { - final SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.REQUIRED); + final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED); socket = sslContext.getSocketFactory().createSocket("localhost", realPort); } else { socket = new Socket("localhost", realPort); @@ -283,7 +283,7 @@ private void sendFrames(final List frames, final Socket socket) throw // Extend ListenRELP so we can use the CapturingSocketChannelResponseDispatcher private static class ResponseCapturingListenRELP extends ListenRELP { - private List responses = new ArrayList<>(); + private final List responses = new ArrayList<>(); @Override protected void respond(RELPEvent event, RELPResponse relpResponse) { @@ -295,7 +295,7 @@ protected void respond(RELPEvent event, RELPResponse relpResponse) { // Extend ListenRELP to mock the ChannelDispatcher and allow us to return staged events private static class MockListenRELP extends ListenRELP { - private List mockEvents; + private final List mockEvents; public MockListenRELP(List mockEvents) { this.mockEvents = mockEvents; diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java index 428994b1cfc5..c2bb828b8923 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java @@ -26,7 +26,9 @@ import org.apache.nifi.processor.ProcessContext; import org.apache.nifi.processor.ProcessSessionFactory; import org.apache.nifi.reporting.InitializationException; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.ssl.SSLContextService; @@ -65,9 +67,9 @@ public void setup() { runner = TestRunners.newTestRunner(proc); runner.setProperty(ListenTCP.PORT, "0"); - clientTlsConfiguration = new TlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, + clientTlsConfiguration = new StandardTlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TLS_PROTOCOL_VERSION); - trustOnlyTlsConfiguration = new TlsConfiguration(null, null, null, null, + trustOnlyTlsConfiguration = new StandardTlsConfiguration(null, null, null, null, TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TLS_PROTOCOL_VERSION); } @@ -80,7 +82,7 @@ public void testCustomValidate() throws InitializationException { runner.setProperty(ListenTCP.CLIENT_AUTH, ""); runner.assertNotValid(); - runner.setProperty(ListenTCP.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCP.CLIENT_AUTH, ClientAuth.REQUIRED.name()); runner.assertValid(); } @@ -127,7 +129,7 @@ public void testListenTCPBatching() throws IOException, InterruptedException { public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, TlsException { - runner.setProperty(ListenTCP.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCP.CLIENT_AUTH, ClientAuth.REQUIRED.name()); configureProcessorSslContextService(); final List messages = new ArrayList<>(); @@ -138,7 +140,7 @@ public void testTLSClientAuthRequiredAndClientCertProvided() throws Initializati messages.add("This is message 5\n"); // Make an SSLContext with a key and trust store to send the test messages - final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration, SslContextFactory.ClientAuth.NONE); + final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration, ClientAuth.NONE); runTCP(messages, messages.size(), clientSslContext); @@ -151,7 +153,7 @@ public void testTLSClientAuthRequiredAndClientCertProvided() throws Initializati @Test public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, TlsException { - runner.setProperty(ListenTCP.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCP.CLIENT_AUTH, ClientAuth.REQUIRED.name()); configureProcessorSslContextService(); final List messages = new ArrayList<>(); @@ -175,7 +177,7 @@ public void testTLSClientAuthRequiredAndClientCertNotProvided() throws Initializ @Test public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, TlsException { - runner.setProperty(ListenTCP.CLIENT_AUTH, SslContextFactory.ClientAuth.NONE.name()); + runner.setProperty(ListenTCP.CLIENT_AUTH, ClientAuth.NONE.name()); configureProcessorSslContextService(); final List messages = new ArrayList<>(); diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java index 91707deaa763..8af404cfd434 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCPRecord.java @@ -30,7 +30,9 @@ import org.apache.nifi.processor.ProcessSessionFactory; import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.schema.access.SchemaAccessUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.serialization.RecordReaderFactory; @@ -113,9 +115,9 @@ public void setup() throws InitializationException { runner.setProperty(ListenTCPRecord.RECORD_READER, readerId); runner.setProperty(ListenTCPRecord.RECORD_WRITER, writerId); - clientTlsConfiguration = new TlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, + clientTlsConfiguration = new StandardTlsConfiguration(CLIENT_KEYSTORE, KEYSTORE_PASSWORD, null, CLIENT_KEYSTORE_TYPE, TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TLS_PROTOCOL_VERSION); - trustOnlyTlsConfiguration = new TlsConfiguration(null, null, null, null, + trustOnlyTlsConfiguration = new StandardTlsConfiguration(null, null, null, null, TRUSTSTORE, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, TLS_PROTOCOL_VERSION); } @@ -128,7 +130,7 @@ public void testCustomValidate() throws InitializationException { runner.setProperty(ListenTCPRecord.CLIENT_AUTH, ""); runner.assertNotValid(); - runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCPRecord.CLIENT_AUTH, ClientAuth.REQUIRED.name()); runner.assertValid(); } @@ -171,7 +173,7 @@ public void testMultipleRecordsPerFlowFileLessThanBatchSize() throws IOException @Test public void testTLSClientAuthRequiredAndClientCertProvided() throws InitializationException, IOException, InterruptedException, TlsException { - runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCPRecord.CLIENT_AUTH, ClientAuth.REQUIRED.name()); configureProcessorSslContextService(); // Make an SSLContext with a key and trust store to send the test messages @@ -192,7 +194,7 @@ public void testTLSClientAuthRequiredAndClientCertProvided() throws Initializati @Test public void testTLSClientAuthRequiredAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, TlsException { - runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SslContextFactory.ClientAuth.REQUIRED.name()); + runner.setProperty(ListenTCPRecord.CLIENT_AUTH, ClientAuth.REQUIRED.name()); runner.setProperty(ListenTCPRecord.READ_TIMEOUT, "5 seconds"); configureProcessorSslContextService(); @@ -205,7 +207,7 @@ public void testTLSClientAuthRequiredAndClientCertNotProvided() throws Initializ @Test public void testTLSClientAuthNoneAndClientCertNotProvided() throws InitializationException, IOException, InterruptedException, TlsException { - runner.setProperty(ListenTCPRecord.CLIENT_AUTH, SslContextFactory.ClientAuth.NONE.name()); + runner.setProperty(ListenTCPRecord.CLIENT_AUTH, ClientAuth.NONE.name()); configureProcessorSslContextService(); // Make an SSLContext that only has the trust store, this should work since the processor has client auth NONE diff --git a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java index de33da0e43b6..8be0bcb31470 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java +++ b/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java @@ -26,8 +26,9 @@ import java.util.concurrent.ArrayBlockingQueue; import javax.net.ServerSocketFactory; import javax.net.ssl.SSLContext; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; public class TCPTestServer implements Runnable { @@ -54,9 +55,9 @@ public TCPTestServer(final InetAddress ipAddress, final ArrayBlockingQueue org.apache.nifi - nifi-security-xml-config + nifi-security-utils 1.13.0-SNAPSHOT diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java index dd67e040daff..0c234c49943f 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java @@ -18,6 +18,10 @@ package org.apache.nifi.oauth2; import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.util.List; +import java.util.Map; +import javax.net.ssl.SSLContext; import okhttp3.FormBody; import okhttp3.OkHttpClient; import okhttp3.Request; @@ -30,17 +34,12 @@ import org.apache.nifi.controller.AbstractControllerService; import org.apache.nifi.controller.ConfigurationContext; import org.apache.nifi.processor.exception.ProcessException; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.security.util.OkHttpClientUtils; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.SSLContextService; -import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.util.StringUtils; -import javax.net.ssl.SSLContext; -import java.io.IOException; -import java.util.List; -import java.util.Map; - @Tags({"oauth2", "provider", "authorization" }) @CapabilityDescription("This controller service provides a way of working with access and refresh tokens via the " + "password and client_credential grant flows in the OAuth2 specification. It is meant to provide a way for components " + @@ -53,15 +52,15 @@ public List getSupportedPropertyDescriptors() { private String resourceServerUrl; private SSLContext sslContext; - private SSLContextService sslContextService; + private SSLContextService sslService; @OnEnabled public void onEnabled(ConfigurationContext context) { resourceServerUrl = context.getProperty(ACCESS_TOKEN_URL).evaluateAttributeExpressions().getValue(); - sslContextService = context.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class); + sslService = context.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class); - sslContext = sslContextService == null ? null : sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE); + sslContext = sslService == null ? null : sslService.createSSLContext(ClientAuth.NONE); } @@ -90,8 +89,8 @@ public AccessToken getAccessTokenByPassword(String clientId, String clientSecret private OkHttpClient.Builder getClientBuilder() { OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); - if (sslContextService != null) { - final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration(); + if (sslService != null) { + final TlsConfiguration tlsConfiguration = sslService.createTlsConfiguration(); OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, clientBuilder); } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java index ed8382ad2f12..14d259f46613 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java @@ -17,12 +17,17 @@ package org.apache.nifi.ssl; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.Tags; +import org.apache.nifi.components.AllowableValue; import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.processor.util.StandardValidators; +import org.apache.nifi.security.util.TlsConfiguration; /** * This class is functionally the same as {@link StandardSSLContextService}, but it restricts the allowable @@ -42,7 +47,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi .displayName("TLS Protocol") .defaultValue("TLS") .required(false) - .allowableValues(RestrictedSSLContextService.buildAlgorithmAllowableValues()) + .allowableValues(buildAlgorithmAllowableValues()) .description(StandardSSLContextService.COMMON_TLS_PROTOCOL_DESCRIPTION + "On Java 11, for example, TLSv1.3 will be the default, but if a client does not support it, TLSv1.2 will be offered as a fallback. TLSv1.0 and TLSv1.1 are not supported at all. ") .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) @@ -73,4 +78,22 @@ protected List getSupportedPropertyDescriptors() { public String getSslAlgorithm() { return configContext.getProperty(RESTRICTED_SSL_ALGORITHM).getValue(); } + + /** + * Build a restricted set of allowable TLS protocol algorithms. + * + * @return the computed set of allowable values + */ + static AllowableValue[] buildAlgorithmAllowableValues() { + final Set supportedProtocols = new HashSet<>(); + + supportedProtocols.add("TLS"); + + /* + * Add specifically supported TLS versions + */ + supportedProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())); + + return SSLContextService.formAllowableValues(supportedProtocols); + } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java index 6e2878a3f957..1f75fb4d562d 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java @@ -40,6 +40,7 @@ import org.apache.nifi.security.util.KeyStoreUtils; import org.apache.nifi.security.util.KeystoreType; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.security.util.TlsException; import org.apache.nifi.util.StringUtils; @@ -229,13 +230,21 @@ protected int getValidationCacheExpiration() { */ @Override public TlsConfiguration createTlsConfiguration() { - return new TlsConfiguration(getKeyStoreFile(), getKeyStorePassword(), + return new StandardTlsConfiguration(getKeyStoreFile(), getKeyStorePassword(), getKeyPassword(), getKeyStoreType(), getTrustStoreFile(), getTrustStorePassword(), getTrustStoreType(), getSslAlgorithm()); } + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred + * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + */ @Override - public SSLContext createSSLContext(final SslContextFactory.ClientAuth clientAuth) throws ProcessException { + public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException { try { return SslContextFactory.createSslContext(createTlsConfiguration(), clientAuth); } catch (TlsException e) { @@ -244,6 +253,21 @@ public SSLContext createSSLContext(final SslContextFactory.ClientAuth clientAuth } } + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method + * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + */ + @Override + public SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException { + org.apache.nifi.security.util.ClientAuth resolvedClientAuth = org.apache.nifi.security.util.ClientAuth.valueOf(clientAuth.name()); + return createSSLContext(resolvedClientAuth); + } + @Override public String getTrustStoreFile() { return configContext.getProperty(TRUSTSTORE).getValue(); diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy index 51e293e0e9af..01f86e33f8e7 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy @@ -19,7 +19,7 @@ package org.apache.nifi.ssl import org.apache.nifi.components.ValidationContext import org.apache.nifi.components.ValidationResult import org.apache.nifi.components.Validator -import org.apache.nifi.security.util.SslContextFactory +import org.apache.nifi.security.util.ClientAuth import org.apache.nifi.state.MockStateManager import org.apache.nifi.util.MockProcessContext import org.apache.nifi.util.MockValidationContext @@ -176,7 +176,7 @@ class StandardSSLContextServiceTest { runner.assertValid(sslContextService) // Act - SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE) // Assert assert sslContext @@ -198,7 +198,7 @@ class StandardSSLContextServiceTest { runner.assertValid(sslContextService) // Act - SSLContext sslContext = sslContextService.createSSLContext(SslContextFactory.ClientAuth.NONE) + SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE) // Assert assert sslContext @@ -258,4 +258,32 @@ class StandardSSLContextServiceTest { // If the EL was evaluated, the path would be valid assert !vr.isValid() } + + /** + * This test ensures that the deprecated ClientAuth enum is correctly mapped to the canonical enum. + */ + @Test + void testShouldTranslateValidDeprecatedClientAuths() { + // Arrange + TestRunner runner = TestRunners.newTestRunner(TestProcessor.class) + String controllerServiceId = "ssl-context" + final SSLContextService sslContextService = new StandardSSLContextService() + runner.addControllerService(controllerServiceId, sslContextService) + runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, NO_PASSWORD_TRUSTSTORE_PATH) + runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, TRUSTSTORE_TYPE) + runner.enableControllerService(sslContextService) + runner.assertValid(sslContextService) + + // Act + Map sslContexts = SSLContextService.ClientAuth.values().collectEntries { ca -> + [ca, sslContextService.createSSLContext(ca)] + } + + // Assert + assert sslContexts.size() == ClientAuth.values().size() + sslContexts.every { clientAuth, sslContext -> + assert ClientAuth.isValidClientAuthType(clientAuth.name()) + assert sslContext + } + } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/RestrictedSSLContextServiceTest.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/RestrictedSSLContextServiceTest.java index aced8d776409..61eaa0e47922 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/RestrictedSSLContextServiceTest.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/RestrictedSSLContextServiceTest.java @@ -25,7 +25,7 @@ import java.util.HashSet; import java.util.Set; import org.apache.nifi.components.AllowableValue; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.junit.Test; public class RestrictedSSLContextServiceTest { @@ -34,9 +34,9 @@ public class RestrictedSSLContextServiceTest { public void testTLSAlgorithms() { final Set expected = new HashSet<>(); expected.add("TLS"); - expected.addAll(Arrays.asList(CertificateUtils.getCurrentSupportedTlsProtocolVersions())); + expected.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())); - final AllowableValue[] allowableValues = RestrictedSSLContextService.buildAlgorithmAllowableValues(); + final AllowableValue[] allowableValues = StandardRestrictedSSLContextService.buildAlgorithmAllowableValues(); assertThat(allowableValues, notNullValue()); assertThat(allowableValues.length, equalTo(expected.size())); for(final AllowableValue value : allowableValues) { diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java index e654b8a09a10..5f944ba09686 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java @@ -38,7 +38,7 @@ import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.reporting.InitializationException; -import org.apache.nifi.security.util.SslContextFactory.ClientAuth; +import org.apache.nifi.security.util.ClientAuth; import org.apache.nifi.util.MockProcessContext; import org.apache.nifi.util.MockValidationContext; import org.apache.nifi.util.TestRunner; diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/pom.xml index d37025a3eae5..4d765259e6cf 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/pom.xml @@ -28,7 +28,7 @@ org.apache.nifi - nifi-security-utils + nifi-security-utils-api 1.13.0-SNAPSHOT compile diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/RestrictedSSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/RestrictedSSLContextService.java index 2544a71a17a3..05fd136097df 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/RestrictedSSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/RestrictedSSLContextService.java @@ -16,50 +16,10 @@ */ package org.apache.nifi.ssl; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import org.apache.nifi.components.AllowableValue; -import org.apache.nifi.security.util.CertificateUtils; - /** * Simple extension of the regular {@link SSLContextService} to allow for restricted implementations * of that interface. */ public interface RestrictedSSLContextService extends SSLContextService { - /** - * Build a restricted set of allowable TLS protocol algorithms. - * - * @return the computed set of allowable values - */ - static AllowableValue[] buildAlgorithmAllowableValues() { - final Set supportedProtocols = new HashSet<>(); - - /* - * Prepopulate protocols with generic instance types commonly used - * see: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext - */ - supportedProtocols.add("TLS"); - - /* - * Add specifically supported TLS versions - */ - supportedProtocols.addAll(Arrays.asList(CertificateUtils.getCurrentSupportedTlsProtocolVersions())); - - final int numProtocols = supportedProtocols.size(); - - // Sort for consistent presentation in configuration views - final List supportedProtocolList = new ArrayList<>(supportedProtocols); - Collections.sort(supportedProtocolList); - - final List protocolAllowableValues = new ArrayList<>(); - for (final String protocol : supportedProtocolList) { - protocolAllowableValues.add(new AllowableValue(protocol)); - } - return protocolAllowableValues.toArray(new AllowableValue[numProtocols]); - } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java index 27e7d9389ff1..800625fa70cd 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java @@ -29,7 +29,6 @@ import org.apache.nifi.components.AllowableValue; import org.apache.nifi.controller.ControllerService; import org.apache.nifi.processor.exception.ProcessException; -import org.apache.nifi.security.util.SslContextFactory; import org.apache.nifi.security.util.TlsConfiguration; /** @@ -41,10 +40,42 @@ + "that configuration throughout the application") public interface SSLContextService extends ControllerService { - // May need to back out if NAR-specific API can't be modified in minor release TlsConfiguration createTlsConfiguration(); - SSLContext createSSLContext(final SslContextFactory.ClientAuth clientAuth) throws ProcessException; + /** + * This enum was removed in 1.12.0 but external custom code has been compiled against it, so it is returned + * in 1.12.1. This enum should no longer be used and any dependent code should now reference + * ClientAuth moving forward. This enum may be removed in a future release. + * + */ + @Deprecated + enum ClientAuth { + WANT, + REQUIRED, + NONE + } + + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred + * over the overloaded method which accepts the deprecated {@link ClientAuth} enum. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + */ + SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException; + + /** + * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated + * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method + * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred. + * + * @param clientAuth the desired level of client authentication + * @return the configured SSLContext + * @throws ProcessException if there is a problem configuring the context + */ + @Deprecated + SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException; String getTrustStoreFile(); @@ -90,16 +121,27 @@ static AllowableValue[] buildAlgorithmAllowableValues() { // ignored as default is used } - final int numProtocols = supportedProtocols.size(); + return formAllowableValues(supportedProtocols); + } + + /** + * Returns an array of {@link AllowableValue} objects formed from the provided + * set of Strings. The returned array is sorted for consistency in display order. + * + * @param rawValues the set of string values + * @return an array of AllowableValues + */ + static AllowableValue[] formAllowableValues(Set rawValues) { + final int numProtocols = rawValues.size(); // Sort for consistent presentation in configuration views - final List supportedProtocolList = new ArrayList<>(supportedProtocols); - Collections.sort(supportedProtocolList); + final List valueList = new ArrayList<>(rawValues); + Collections.sort(valueList); - final List protocolAllowableValues = new ArrayList<>(); - for (final String protocol : supportedProtocolList) { - protocolAllowableValues.add(new AllowableValue(protocol)); + final List allowableValues = new ArrayList<>(); + for (final String protocol : valueList) { + allowableValues.add(new AllowableValue(protocol)); } - return protocolAllowableValues.toArray(new AllowableValue[numProtocols]); + return allowableValues.toArray(new AllowableValue[numProtocols]); } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml index 9ab9d0b5d25f..eba3d4d3a63b 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-standard-services-api-nar/pom.xml @@ -37,6 +37,11 @@ nifi-ssl-context-service-api compile + + org.apache.nifi + nifi-security-utils-api + compile + org.apache.nifi nifi-distributed-cache-client-service-api diff --git a/nifi-nar-bundles/pom.xml b/nifi-nar-bundles/pom.xml index c93bcb361ea0..0fdb2ab78d1d 100755 --- a/nifi-nar-bundles/pom.xml +++ b/nifi-nar-bundles/pom.xml @@ -198,6 +198,12 @@ 1.13.0-SNAPSHOT provided + + org.apache.nifi + nifi-security-utils-api + 1.13.0-SNAPSHOT + provided + org.apache.nifi nifi-load-distribution-service-api diff --git a/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/NiFiClientConfig.java b/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/NiFiClientConfig.java index fcf150149dce..ee255067a3d7 100644 --- a/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/NiFiClientConfig.java +++ b/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/NiFiClientConfig.java @@ -29,14 +29,14 @@ import javax.net.ssl.TrustManagerFactory; import org.apache.nifi.registry.security.util.KeyStoreUtils; import org.apache.nifi.registry.security.util.KeystoreType; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; /** * Configuration for a NiFiClient. */ public class NiFiClientConfig { - public static final String DEFAULT_PROTOCOL = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion(); + public static final String DEFAULT_PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion(); private final String baseUrl; private final SSLContext sslContext; diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformer.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformer.java index 563c054a556b..e58ab2e9d317 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformer.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/client/TlsCertificateSigningRequestPerformer.java @@ -39,6 +39,7 @@ import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.ssl.SSLContextBuilder; import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig; import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest; import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse; @@ -99,7 +100,7 @@ public X509Certificate[] perform(KeyPair keyPair) throws IOException { HttpClientBuilder httpClientBuilder = httpClientBuilderSupplier.get(); SSLContextBuilder sslContextBuilder = SSLContextBuilder.create(); - sslContextBuilder.useProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + sslContextBuilder.useProtocol(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); // We will be validating that we are talking to the correct host once we get the response's hmac of the token and public key of the ca sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.java index d95ae8ec463d..bb44077ddf3f 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.java @@ -25,7 +25,7 @@ import java.security.KeyStore; import java.security.cert.Certificate; import java.security.cert.X509Certificate; -import org.apache.nifi.security.util.CertificateUtils; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.toolkit.tls.configuration.TlsConfig; import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager; import org.apache.nifi.toolkit.tls.manager.writer.JsonConfigurationWriter; @@ -63,7 +63,7 @@ private static Server createServer(Handler handler, int port, KeyStore keyStore, Server server = new Server(); SslContextFactory sslContextFactory = new SslContextFactory.Server(); - sslContextFactory.setIncludeProtocols(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()); + sslContextFactory.setIncludeProtocols(TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyManagerPassword(keyPassword); diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/status/TlsToolkitGetStatusCommandLine.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/status/TlsToolkitGetStatusCommandLine.java index dc5b8fde30c1..4ce1eb230ea5 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/status/TlsToolkitGetStatusCommandLine.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/status/TlsToolkitGetStatusCommandLine.java @@ -20,8 +20,8 @@ import java.net.URISyntaxException; import javax.net.ssl.SSLContext; import org.apache.commons.cli.CommandLine; -import org.apache.nifi.security.util.CertificateUtils; import org.apache.nifi.security.util.SslContextFactory; +import org.apache.nifi.security.util.StandardTlsConfiguration; import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine; import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException; @@ -45,7 +45,7 @@ public class TlsToolkitGetStatusCommandLine extends BaseCommandLine { public static final String TRUSTSTORE_PASSWORD_ARG = "trustStorePassword"; public static final String PROTOCOL_ARG = "protocol"; - public static final String DEFAULT_PROTOCOL = CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion(); + public static final String DEFAULT_PROTOCOL = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion(); public static final String DEFAULT_KEYSTORE_TYPE = "JKS"; public static final String DESCRIPTION = "Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore."; @@ -120,7 +120,7 @@ protected void postParse(CommandLine commandLine) throws CommandLineParseExcepti } try { - TlsConfiguration tlsConfiguration = new TlsConfiguration(keystoreFilename, keystorePassword, keyPassword, keystoreTypeStr, + TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystoreFilename, keystorePassword, keyPassword, keystoreTypeStr, truststoreFilename, truststorePassword, truststoreTypeStr, protocol); if (tlsConfiguration.isAnyTruststorePopulated()) {