private void configureSSL(HTTPConnectionHandlerCfg config) throws DirectoryException { protocol = config.isUseSSL() ? "HTTPS" : "HTTP"; if (config.isUseSSL()) { sslEngineConfigurator = createSSLEngineConfigurator(config); } else { sslEngineConfigurator = null; } }
private ConnectionHandlerDescriptor getConnectionHandler( ConnectionHandlerCfg connHandler, String name) throws OpenDsException { SortedSet<InetAddress> addresses = new TreeSet<InetAddress>(getInetAddressComparator()); int port; ConnectionHandlerDescriptor.Protocol protocol; ConnectionHandlerDescriptor.State state = connHandler.isEnabled() ? ConnectionHandlerDescriptor.State.ENABLED : ConnectionHandlerDescriptor.State.DISABLED; if (connHandler instanceof LDAPConnectionHandlerCfg) { LDAPConnectionHandlerCfg ldap = (LDAPConnectionHandlerCfg) connHandler; if (ldap.isUseSSL()) { protocol = ConnectionHandlerDescriptor.Protocol.LDAPS; } else if (ldap.isAllowStartTLS()) { protocol = ConnectionHandlerDescriptor.Protocol.LDAP_STARTTLS; } else { protocol = ConnectionHandlerDescriptor.Protocol.LDAP; } addAll(addresses, ldap.getListenAddress()); port = ldap.getListenPort(); } else if (connHandler instanceof HTTPConnectionHandlerCfg) { HTTPConnectionHandlerCfg http = (HTTPConnectionHandlerCfg) connHandler; if (http.isUseSSL()) { protocol = ConnectionHandlerDescriptor.Protocol.HTTPS; } else { protocol = ConnectionHandlerDescriptor.Protocol.HTTP; } addAll(addresses, http.getListenAddress()); port = http.getListenPort(); } else if (connHandler instanceof JMXConnectionHandlerCfg) { JMXConnectionHandlerCfg jmx = (JMXConnectionHandlerCfg) connHandler; if (jmx.isUseSSL()) { protocol = ConnectionHandlerDescriptor.Protocol.JMXS; } else { protocol = ConnectionHandlerDescriptor.Protocol.JMX; } addAll(addresses, jmx.getListenAddress()); port = jmx.getListenPort(); } else if (connHandler instanceof LDIFConnectionHandlerCfg) { protocol = ConnectionHandlerDescriptor.Protocol.LDIF; port = -1; } else if (connHandler instanceof SNMPConnectionHandlerCfg) { protocol = ConnectionHandlerDescriptor.Protocol.SNMP; SNMPConnectionHandlerCfg snmp = (SNMPConnectionHandlerCfg) connHandler; addAll(addresses, snmp.getListenAddress()); port = snmp.getListenPort(); } else { protocol = ConnectionHandlerDescriptor.Protocol.OTHER; port = -1; } Set<CustomSearchResult> emptySet = Collections.emptySet(); return new ConnectionHandlerDescriptor(addresses, port, protocol, state, name, emptySet); }
private String getHandlerName(HTTPConnectionHandlerCfg config) { StringBuilder nameBuffer = new StringBuilder(); nameBuffer.append(friendlyName); for (InetAddress a : config.getListenAddress()) { nameBuffer.append(" "); nameBuffer.append(a.getHostAddress()); } nameBuffer.append(" port "); nameBuffer.append(config.getListenPort()); return nameBuffer.toString(); }
private SSLEngineConfigurator createSSLEngineConfigurator(HTTPConnectionHandlerCfg config) throws DirectoryException { if (!config.isUseSSL()) { return null; } try { SSLContext sslContext = createSSLContext(config); SSLEngineConfigurator configurator = new SSLEngineConfigurator(sslContext); configurator.setClientMode(false); // configure with defaults from the JVM final SSLEngine defaults = sslContext.createSSLEngine(); configurator.setEnabledProtocols(defaults.getEnabledProtocols()); configurator.setEnabledCipherSuites(defaults.getEnabledCipherSuites()); final Set<String> protocols = config.getSSLProtocol(); if (!protocols.isEmpty()) { configurator.setEnabledProtocols(protocols.toArray(new String[protocols.size()])); } final Set<String> ciphers = config.getSSLCipherSuite(); if (!ciphers.isEmpty()) { configurator.setEnabledCipherSuites(ciphers.toArray(new String[ciphers.size()])); } switch (config.getSSLClientAuthPolicy()) { case DISABLED: configurator.setNeedClientAuth(false); configurator.setWantClientAuth(false); break; case REQUIRED: configurator.setNeedClientAuth(true); configurator.setWantClientAuth(true); break; case OPTIONAL: default: configurator.setNeedClientAuth(false); configurator.setWantClientAuth(true); break; } return configurator; } catch (Exception e) { logger.traceException(e); ResultCode resCode = DirectoryServer.getServerErrorResultCode(); throw new DirectoryException( resCode, ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(getExceptionMessage(e)), e); } }
@Override public boolean isConfigurationAcceptable( ConnectionHandlerCfg configuration, List<LocalizableMessage> unacceptableReasons) { HTTPConnectionHandlerCfg config = (HTTPConnectionHandlerCfg) configuration; if (currentConfig == null || (!this.enabled && config.isEnabled())) { // Attempt to bind to the listen port on all configured addresses to // verify whether the connection handler will be able to start. LocalizableMessage errorMessage = checkAnyListenAddressInUse( config.getListenAddress(), config.getListenPort(), config.isAllowTCPReuseAddress(), config.dn()); if (errorMessage != null) { unacceptableReasons.add(errorMessage); return false; } } if (config.isEnabled() && config.isUseSSL()) { try { createSSLEngineConfigurator(config); } catch (DirectoryException e) { logger.traceException(e); unacceptableReasons.add(e.getMessageObject()); return false; } } return true; }
private SSLContext createSSLContext(HTTPConnectionHandlerCfg config) throws Exception { if (!config.isUseSSL()) { return null; } DN keyMgrDN = config.getKeyManagerProviderDN(); KeyManagerProvider<?> keyManagerProvider = DirectoryServer.getKeyManagerProvider(keyMgrDN); if (keyManagerProvider == null) { logger.error(ERR_NULL_KEY_PROVIDER_MANAGER, keyMgrDN, friendlyName); logger.warn(INFO_DISABLE_CONNECTION, friendlyName); keyManagerProvider = new NullKeyManagerProvider(); enabled = false; } else if (!keyManagerProvider.containsAtLeastOneKey()) { logger.error(ERR_INVALID_KEYSTORE, friendlyName); logger.warn(INFO_DISABLE_CONNECTION, friendlyName); enabled = false; } final SortedSet<String> aliases = new TreeSet<>(config.getSSLCertNickname()); final KeyManager[] keyManagers; if (aliases.isEmpty()) { keyManagers = keyManagerProvider.getKeyManagers(); } else { final Iterator<String> it = aliases.iterator(); while (it.hasNext()) { if (!keyManagerProvider.containsKeyWithAlias(it.next())) { logger.error(ERR_KEYSTORE_DOES_NOT_CONTAIN_ALIAS, aliases, friendlyName); it.remove(); } } if (aliases.isEmpty()) { logger.warn(INFO_DISABLE_CONNECTION, friendlyName); enabled = false; } keyManagers = SelectableCertificateKeyManager.wrap(keyManagerProvider.getKeyManagers(), aliases); } DN trustMgrDN = config.getTrustManagerProviderDN(); TrustManagerProvider<?> trustManagerProvider = DirectoryServer.getTrustManagerProvider(trustMgrDN); if (trustManagerProvider == null) { trustManagerProvider = new NullTrustManagerProvider(); } SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME); sslContext.init(keyManagers, trustManagerProvider.getTrustManagers(), null); return sslContext; }
@Override public ConfigChangeResult applyConfigurationChange(HTTPConnectionHandlerCfg config) { final ConfigChangeResult ccr = new ConfigChangeResult(); if (anyChangeRequiresRestart(config)) { ccr.setAdminActionRequired(true); ccr.addMessage(ERR_CONNHANDLER_CONFIG_CHANGES_REQUIRE_RESTART.get("HTTP")); } // Reconfigure SSL if needed. try { configureSSL(config); } catch (DirectoryException e) { logger.traceException(e); ccr.setResultCode(e.getResultCode()); ccr.addMessage(e.getMessageObject()); return ccr; } if (config.isEnabled() && this.currentConfig.isEnabled() && isListening()) { // Server was running and will still be running if the "enabled" was flipped, // leave it to the stop / start server to handle it. if (!this.currentConfig.isKeepStats() && config.isKeepStats()) { // It must now keep stats while it was not previously. setHttpStatsProbe(this.httpServer); } else if (this.currentConfig.isKeepStats() && !config.isKeepStats() && this.httpProbe != null) { // It must NOT keep stats anymore. getHttpConfig(this.httpServer).removeProbes(this.httpProbe); this.httpProbe = null; } } this.initConfig = config; this.currentConfig = config; this.enabled = this.currentConfig.isEnabled(); return ccr; }
private HttpServer createHttpServer() { final HttpServer server = new HttpServer(); final int requestSize = (int) currentConfig.getMaxRequestSize(); final ServerConfiguration serverConfig = server.getServerConfiguration(); serverConfig.setMaxBufferedPostSize(requestSize); serverConfig.setMaxFormPostSize(requestSize); serverConfig.setDefaultQueryEncoding(Charsets.UTF8_CHARSET); if (keepStats()) { setHttpStatsProbe(server); } // Configure the network listener final NetworkListener listener = new NetworkListener( "Rest2LDAP", NetworkListener.DEFAULT_NETWORK_HOST, initConfig.getListenPort()); server.addListener(listener); // Configure the network transport final TCPNIOTransport transport = listener.getTransport(); transport.setReuseAddress(currentConfig.isAllowTCPReuseAddress()); transport.setKeepAlive(currentConfig.isUseTCPKeepAlive()); transport.setTcpNoDelay(currentConfig.isUseTCPNoDelay()); transport.setWriteTimeout(currentConfig.getMaxBlockedWriteTimeLimit(), TimeUnit.MILLISECONDS); final int bufferSize = (int) currentConfig.getBufferSize(); transport.setReadBufferSize(bufferSize); transport.setWriteBufferSize(bufferSize); transport.setIOStrategy(SameThreadIOStrategy.getInstance()); final int numRequestHandlers = getNumRequestHandlers(currentConfig.getNumRequestHandlers(), friendlyName); transport.setSelectorRunnersCount(numRequestHandlers); transport.setServerConnectionBackLog(currentConfig.getAcceptBacklog()); // Configure SSL if (sslEngineConfigurator != null) { listener.setSecure(true); listener.setSSLEngineConfig(sslEngineConfigurator); } return server; }
@Override public void initializeConnectionHandler(HTTPConnectionHandlerCfg config) throws ConfigException, InitializationException { this.enabled = config.isEnabled(); if (friendlyName == null) { friendlyName = config.dn().rdn().getAttributeValue(0).toString(); } int listenPort = config.getListenPort(); for (InetAddress a : config.getListenAddress()) { listeners.add(new HostPort(a.getHostAddress(), listenPort)); } handlerName = getHandlerName(config); // Configure SSL if needed. try { // This call may disable the connector if wrong SSL settings configureSSL(config); } catch (DirectoryException e) { logger.traceException(e); throw new InitializationException(e.getMessageObject()); } // Create and register monitors. statTracker = new HTTPStatistics(handlerName + " Statistics"); DirectoryServer.registerMonitorProvider(statTracker); connMonitor = new ClientConnectionMonitorProvider(this); DirectoryServer.registerMonitorProvider(connMonitor); // Register this as a change listener. config.addHTTPChangeListener(this); this.initConfig = config; this.currentConfig = config; }
@Override public void finalizeConnectionHandler(LocalizableMessage finalizeReason) { shutdownRequested = true; // Unregister this as a change listener. currentConfig.removeHTTPChangeListener(this); if (connMonitor != null) { DirectoryServer.deregisterMonitorProvider(connMonitor); } if (statTracker != null) { DirectoryServer.deregisterMonitorProvider(statTracker); } }
@Override public void run() { setName(handlerName); boolean lastIterationFailed = false; boolean starting = true; while (!shutdownRequested) { // If this connection handler is not enabled, then just sleep for a bit and check again. if (!this.enabled) { if (isListening()) { stopHttpServer(); } if (starting) { // This may happen if there was an initialisation error which led to disable the // connector. // The main thread is waiting for the connector to listen on its port, which will not // occur yet, // so notify here to allow the server startup to complete. synchronized (waitListen) { starting = false; waitListen.notify(); } } StaticUtils.sleep(1000); continue; } if (isListening()) { // If already listening, then sleep for a bit and check again. StaticUtils.sleep(1000); continue; } try { // At this point, the connection Handler either started correctly or failed // to start but the start process should be notified and resume its work in any cases. synchronized (waitListen) { waitListen.notify(); } // If we have gotten here, then we are about to start listening // for the first time since startup or since we were previously disabled. // Start the embedded HTTP server startHttpServer(); lastIterationFailed = false; } catch (Exception e) { // Clean up the messed up HTTP server cleanUpHttpServer(); // Error + alert about the horked config logger.traceException(e); logger.error( ERR_CONNHANDLER_CANNOT_ACCEPT_CONNECTION, friendlyName, currentConfig.dn(), getExceptionMessage(e)); if (lastIterationFailed) { // The last time through the accept loop we also encountered a failure. // Rather than enter a potential infinite loop of failures, // disable this acceptor and log an error. LocalizableMessage message = ERR_CONNHANDLER_CONSECUTIVE_ACCEPT_FAILURES.get( friendlyName, currentConfig.dn(), stackTraceToSingleLineString(e)); logger.error(message); DirectoryServer.sendAlertNotification( this, ALERT_TYPE_HTTP_CONNECTION_HANDLER_CONSECUTIVE_FAILURES, message); this.enabled = false; } else { lastIterationFailed = true; } } } // Initiate shutdown stopHttpServer(); }
/** * Indicates whether this connection handler should maintain usage statistics. * * @return <CODE>true</CODE> if this connection handler should maintain usage statistics, or * <CODE>false</CODE> if not. */ public boolean keepStats() { return currentConfig.isKeepStats(); }
@Override public DN getComponentEntryDN() { return currentConfig.dn(); }
private boolean anyChangeRequiresRestart(HTTPConnectionHandlerCfg newCfg) { return !equals(newCfg.getListenPort(), initConfig.getListenPort()) || !Objects.equals(newCfg.getListenAddress(), initConfig.getListenAddress()) || !equals(newCfg.getMaxRequestSize(), currentConfig.getMaxRequestSize()) || !equals(newCfg.isAllowTCPReuseAddress(), currentConfig.isAllowTCPReuseAddress()) || !equals(newCfg.isUseTCPKeepAlive(), currentConfig.isUseTCPKeepAlive()) || !equals(newCfg.isUseTCPNoDelay(), currentConfig.isUseTCPNoDelay()) || !equals( newCfg.getMaxBlockedWriteTimeLimit(), currentConfig.getMaxBlockedWriteTimeLimit()) || !equals(newCfg.getBufferSize(), currentConfig.getBufferSize()) || !equals(newCfg.getAcceptBacklog(), currentConfig.getAcceptBacklog()) || !equals(newCfg.isUseSSL(), currentConfig.isUseSSL()) || !Objects.equals( newCfg.getKeyManagerProviderDN(), currentConfig.getKeyManagerProviderDN()) || !Objects.equals(newCfg.getSSLCertNickname(), currentConfig.getSSLCertNickname()) || !Objects.equals( newCfg.getTrustManagerProviderDN(), currentConfig.getTrustManagerProviderDN()) || !Objects.equals(newCfg.getSSLProtocol(), currentConfig.getSSLProtocol()) || !Objects.equals(newCfg.getSSLCipherSuite(), currentConfig.getSSLCipherSuite()) || !Objects.equals(newCfg.getSSLClientAuthPolicy(), currentConfig.getSSLClientAuthPolicy()); }