KNOX-3245: Add new separators for SSL ciphers and protocols (#1142)

* KNOX-3245: Add new separators for SSL ciphers and protocols

* KNOX-3245: Fixed a bug where the ssl.include.protocols config wasn't applied to the internal Jetty server

Author: hanicz

gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java

@@ -38,6 +38,7 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 
 import org.apache.commons.codec.digest.HmacAlgorithms;
 import org.apache.commons.io.FilenameUtils;
@@ -668,36 +669,33 @@ public String getFrontendUrl() {
 
   @Override
   public Set<String> getIncludedSSLProtocols() {
-    final Collection<String> includedSslProtocols = getTrimmedStringCollection(SSL_INCLUDE_PROTOCOLS);
+    final List<String> includedSslProtocols = splitConfigValueToList(SSL_INCLUDE_PROTOCOLS);
     return includedSslProtocols == null ? Collections.emptySet() : new HashSet<>(includedSslProtocols);
   }
 
   @Override
   public List<String> getExcludedSSLProtocols() {
-    List<String> protocols = null;
-    String value = get(SSL_EXCLUDE_PROTOCOLS);
-    if (!"none".equals(value)) {
-      protocols = Arrays.asList(value.split("\\s*,\\s*"));
-    }
-    return protocols;
+    return splitConfigValueToList(SSL_EXCLUDE_PROTOCOLS);
   }
 
   @Override
   public List<String> getIncludedSSLCiphers() {
-    List<String> list = null;
-    String value = get(SSL_INCLUDE_CIPHERS);
-    if (value != null && !value.isEmpty() && !"none".equalsIgnoreCase(value.trim())) {
-      list = Arrays.asList(value.trim().split("\\s*,\\s*"));
-    }
-    return list;
+    return splitConfigValueToList(SSL_INCLUDE_CIPHERS);
   }
 
   @Override
   public List<String> getExcludedSSLCiphers() {
+    return splitConfigValueToList(SSL_EXCLUDE_CIPHERS);
+  }
+
+  private List<String> splitConfigValueToList(String config) {
     List<String> list = null;
-    String value = get(SSL_EXCLUDE_CIPHERS);
+    String value = get(config);
     if (value != null && !value.isEmpty() && !"none".equalsIgnoreCase(value.trim())) {
-      list = Arrays.asList(value.trim().split("\\s*,\\s*"));
+      list = Arrays.stream(value.split("[,:\n]"))
+              .map(String::trim)
+              .filter(part -> !part.isEmpty())
+              .collect(Collectors.toList());
     }
     return list;
   }

gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java

@@ -228,7 +228,7 @@ public Object buildSslContextFactory(GatewayConfig config) throws AliasServiceEx
     }
 
     final Set<String> sslIncludeProtocols = config.getIncludedSSLProtocols();
-    if (sslIncludeProtocols != null && sslIncludeProtocols.isEmpty()) {
+    if (sslIncludeProtocols != null && !sslIncludeProtocols.isEmpty()) {
       sslContextFactory.setIncludeProtocols(sslIncludeProtocols.toArray(new String[0]));
     }
 

gateway-server/src/test/java/org/apache/knox/gateway/config/impl/GatewayConfigImplTest.java

@@ -18,8 +18,10 @@
 
 import static org.apache.knox.gateway.services.security.impl.RemoteAliasService.REMOTE_ALIAS_SERVICE_TYPE;
 import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.empty;
 import static org.hamcrest.Matchers.hasItems;
 import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
@@ -36,6 +38,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 import org.apache.knox.gateway.config.GatewayConfig;
@@ -143,6 +146,30 @@ public void testSSLCiphers() {
     config.set( "ssl.include.ciphers", " ONE , TWO , THREE " );
     assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
 
+    config.set( "ssl.include.ciphers", " ONE:TWO:THREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE:TWO,THREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE : TWO,THREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE : TWO\nTHREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE,TWO \n THREE " );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE,TWO \n THREE :FOUR" );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE", "FOUR")) );
+
+    config.set( "ssl.include.ciphers", " ONE,TWO,,THREE" );
+    assertThat( config.getIncludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.ciphers", " ONE,TWO,,THREE" );
+    assertThat( config.getIncludedSSLCiphers(), not(hasItems("")) );
+
     list = config.getExcludedSSLCiphers();
     assertThat( list, is(nullValue()) );
 
@@ -166,6 +193,130 @@ public void testSSLCiphers() {
 
     config.set( "ssl.exclude.ciphers", " ONE , TWO , THREE " );
     assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE:TWO:THREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE:TWO,THREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE : TWO,THREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE : TWO\nTHREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE,TWO \n THREE " );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE,TWO \n THREE :FOUR" );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE", "FOUR")) );
+
+
+    config.set( "ssl.exclude.ciphers", " ONE,TWO,,THREE" );
+    assertThat( config.getExcludedSSLCiphers(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.ciphers", " ONE,TWO,,THREE" );
+    assertThat( config.getExcludedSSLCiphers(), not(hasItems("")) );
+  }
+
+  @Test
+  public void testSSLProtocols() {
+    GatewayConfigImpl config = new GatewayConfigImpl();
+    Set<String> list;
+
+    list = config.getIncludedSSLProtocols();
+    assertThat( list, is(empty()) );
+
+    config.set( "ssl.include.protocols", "none" );
+    assertThat( config.getIncludedSSLProtocols(), is(empty()) );
+
+    config.set( "ssl.include.protocols", "" );
+    assertThat( config.getIncludedSSLProtocols(), is(empty()) );
+
+    config.set( "ssl.include.protocols", "ONE" );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE")) );
+
+    config.set( "ssl.include.protocols", " ONE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE")) );
+
+    config.set( "ssl.include.protocols", "ONE,TWO" );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO")) );
+
+    config.set( "ssl.include.protocols", "ONE,TWO,THREE" );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE , TWO , THREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE:TWO:THREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE:TWO,THREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE : TWO,THREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE : TWO\nTHREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE,TWO \n THREE " );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE,TWO \n THREE :FOUR" );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE", "FOUR")) );
+
+    config.set( "ssl.include.protocols", " ONE,TWO,,THREE" );
+    assertThat( config.getIncludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.include.protocols", " ONE,TWO,,THREE" );
+    assertThat( config.getIncludedSSLProtocols(), not(hasItems("")) );
+
+    config.set( "ssl.exclude.protocols", "none" );
+    assertThat( config.getExcludedSSLProtocols(), is(nullValue()) );
+
+    config.set( "ssl.exclude.protocols", "" );
+    assertThat( config.getExcludedSSLProtocols(), is(nullValue()) );
+
+    config.set( "ssl.exclude.protocols", "ONE" );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE")) );
+
+    config.set( "ssl.exclude.protocols", "ONE,TWO" );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO")) );
+
+    config.set( "ssl.exclude.protocols", "ONE,TWO,THREE" );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE , TWO , THREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE:TWO:THREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE:TWO,THREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE : TWO,THREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE : TWO\nTHREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE,TWO \n THREE " );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE,TWO \n THREE :FOUR" );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE", "FOUR")) );
+
+    config.set( "ssl.exclude.protocols", " ONE,TWO,,THREE" );
+    assertThat( config.getExcludedSSLProtocols(), is(hasItems("ONE","TWO","THREE")) );
+
+    config.set( "ssl.exclude.protocols", " ONE,TWO,,THREE" );
+    assertThat( config.getExcludedSSLProtocols(), not(hasItems("")) );
   }
 
   // KNOX-2772

gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/JettySSLServiceTest.java

@@ -23,13 +23,19 @@
 import static org.easymock.EasyMock.expect;
 import static org.easymock.EasyMock.replay;
 import static org.easymock.EasyMock.verify;
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
 import org.apache.knox.gateway.config.GatewayConfig;
 import org.apache.knox.gateway.services.security.AliasService;
 import org.apache.knox.gateway.services.security.AliasServiceException;
@@ -498,10 +504,65 @@ public void testExcludeTopologyFromClientAuthNoPolicy() {
     assertFalse(sslContextFactory.getWantClientAuth());
   }
 
+  @Test
+  public void testBuildSslContextFactoryCiphersAndProtocols() throws Exception {
+    String basedir = System.getProperty("basedir");
+    if (basedir == null) {
+      basedir = new File(".").getCanonicalPath();
+    }
+
+    Path identityKeystorePath = Paths.get(basedir, "target", "test-classes", "keystores", "server-keystore.jks");
+    String identityKeystoreType = "jks";
+    char[] identityKeystorePassword = "horton".toCharArray();
+    char[] identityKeyPassphrase = "horton".toCharArray();
+    String identityKeyAlias = "server";
+    Path truststorePath = Paths.get(basedir, "target", "test-classes", "keystores", "server-truststore.jks");
+    String truststoreType = "jks";
+    String truststorePasswordAlias = "trust_store_password";
+
+    List<String> includedCiphers = Arrays.asList("SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA");
+    List<String> excludedCiphers = List.of("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
+    List<String> excludedProtocols = List.of("SSLv3");
+    Set<String> includedProtocols = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.3"));
+
+    GatewayConfig config = createGatewayConfig(false, false, identityKeystorePath, identityKeystoreType, identityKeyAlias, truststorePath, truststoreType, truststorePasswordAlias,
+            includedCiphers, excludedCiphers, includedProtocols, excludedProtocols);
+
+    AliasService aliasService = createMock(AliasService.class);
+    expect(aliasService.getGatewayIdentityKeystorePassword()).andReturn(identityKeystorePassword).atLeastOnce();
+    expect(aliasService.getGatewayIdentityPassphrase()).andReturn(identityKeyPassphrase).atLeastOnce();
+
+    KeystoreService keystoreService = createMock(KeystoreService.class);
+
+    replay(config, aliasService, keystoreService);
+
+    JettySSLService sslService = new JettySSLService();
+    sslService.setAliasService(aliasService);
+    sslService.setKeystoreService(keystoreService);
+
+    SslContextFactory sslContextFactory = (SslContextFactory) sslService.buildSslContextFactory(config);
+    assertArrayEquals(excludedCiphers.toArray(), sslContextFactory.getExcludeCipherSuites());
+    assertArrayEquals(includedCiphers.toArray(), sslContextFactory.getIncludeCipherSuites());
+    assertArrayEquals(excludedProtocols.toArray(), sslContextFactory.getExcludeProtocols());
+    assertArrayEquals(includedProtocols.toArray(), sslContextFactory.getIncludeProtocols());
+
+
+    verify(config, aliasService, keystoreService);
+  }
+
   private GatewayConfig createGatewayConfig(boolean isClientAuthNeeded, boolean isExplicitTruststore,
                                             Path identityKeystorePath, String identityKeystoreType,
                                             String identityKeyAlias, Path truststorePath,
                                             String truststoreType, String trustStorePasswordAlias) {
+    return createGatewayConfig(isClientAuthNeeded, isExplicitTruststore, identityKeystorePath, identityKeystoreType, identityKeyAlias, truststorePath, truststoreType, trustStorePasswordAlias, null, null, null, null);
+  }
+
+  private GatewayConfig createGatewayConfig(boolean isClientAuthNeeded, boolean isExplicitTruststore,
+                                            Path identityKeystorePath, String identityKeystoreType,
+                                            String identityKeyAlias, Path truststorePath,
+                                            String truststoreType, String trustStorePasswordAlias,
+                                            List<String> includedCiphers, List<String> excludedCiphers,
+                                            Set<String> includedProtocols, List<String> excludedProtocols) {
     GatewayConfig config = createMock(GatewayConfig.class);
     expect(config.getIdentityKeystorePath()).andReturn(identityKeystorePath.toString()).atLeastOnce();
     expect(config.getIdentityKeystoreType()).andReturn(identityKeystoreType).atLeastOnce();
@@ -523,10 +584,10 @@ private GatewayConfig createGatewayConfig(boolean isClientAuthNeeded, boolean is
 
     expect(config.isClientAuthWanted()).andReturn(false).atLeastOnce();
     expect(config.getTrustAllCerts()).andReturn(false).atLeastOnce();
-    expect(config.getIncludedSSLCiphers()).andReturn(null).atLeastOnce();
-    expect(config.getExcludedSSLCiphers()).andReturn(null).atLeastOnce();
-    expect(config.getIncludedSSLProtocols()).andReturn(null).atLeastOnce();
-    expect(config.getExcludedSSLProtocols()).andReturn(null).atLeastOnce();
+    expect(config.getIncludedSSLCiphers()).andReturn(includedCiphers).atLeastOnce();
+    expect(config.getExcludedSSLCiphers()).andReturn(excludedCiphers).atLeastOnce();
+    expect(config.getIncludedSSLProtocols()).andReturn(includedProtocols).atLeastOnce();
+    expect(config.getExcludedSSLProtocols()).andReturn(excludedProtocols).atLeastOnce();
     expect(config.isSSLRenegotiationAllowed()).andReturn(true).atLeastOnce();
     return config;
   }
@@ -538,4 +599,4 @@ private GatewayConfig createGatewayConfigForExcludeTopologyTest(boolean isClient
     return config;
   }
 
-}
+}