markap14 commented on a change in pull request #4737:
URL: https://github.com/apache/nifi/pull/4737#discussion_r552828009
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
##########
@@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() {
}
/**
- * Returns a configured {@link SSLContext} from the populated
configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link
ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties.
This method is preferred over deprecated
+ * methods due to not requiring a client authentication policy. Invokes
createTlsConfiguration() to prepare
+ * properties for processing.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ @Override
+ public SSLContext createContext() {
+ final TlsConfiguration tlsConfiguration = createTlsConfiguration();
+ if (!tlsConfiguration.isTruststorePopulated()) {
+ getLogger().warn("Trust Store properties not found: using platform
default Certificate Authorities");
+ }
+
+ try {
+ final TrustManager[] trustManagers =
SslContextFactory.getTrustManagers(tlsConfiguration);
+ return SslContextFactory.createSslContext(tlsConfiguration,
trustManagers);
+ } catch (final TlsException e) {
+ getLogger().error("Unable to create SSLContext: {}", new
String[]{e.getLocalizedMessage()});
+ throw new ProcessException("Unable to create SSLContext", e);
+ }
+ }
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
+ * due to the Client Authentication policy not being applicable when
initializing the SSLContext
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
+ @Deprecated
@Override
public SSLContext createSSLContext(final
org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
- try {
- final TlsConfiguration tlsConfiguration = createTlsConfiguration();
- if (!tlsConfiguration.isTruststorePopulated()) {
- getLogger().warn("Trust Store properties not found: using
platform default Certificate Authorities");
- }
- final TrustManager[] trustManagers =
SslContextFactory.getTrustManagers(tlsConfiguration);
- return SslContextFactory.createSslContext(tlsConfiguration,
trustManagers, clientAuth);
- } catch (TlsException e) {
- getLogger().error("Encountered an error creating the SSL context
from the SSL context service: {}", new String[]{e.getLocalizedMessage()});
- throw new ProcessException("Error creating SSL context", e);
- }
+ return createContext();
}
/**
* Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
##########
@@ -238,41 +238,55 @@ public TlsConfiguration createTlsConfiguration() {
}
/**
- * Returns a configured {@link SSLContext} from the populated
configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link
ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties.
This method is preferred over deprecated
+ * methods due to not requiring a client authentication policy. Invokes
createTlsConfiguration() to prepare
+ * properties for processing.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ @Override
+ public SSLContext createContext() {
+ final TlsConfiguration tlsConfiguration = createTlsConfiguration();
+ if (!tlsConfiguration.isTruststorePopulated()) {
+ getLogger().warn("Trust Store properties not found: using platform
default Certificate Authorities");
+ }
+
+ try {
+ final TrustManager[] trustManagers =
SslContextFactory.getTrustManagers(tlsConfiguration);
+ return SslContextFactory.createSslContext(tlsConfiguration,
trustManagers);
+ } catch (final TlsException e) {
+ getLogger().error("Unable to create SSLContext: {}", new
String[]{e.getLocalizedMessage()});
+ throw new ProcessException("Unable to create SSLContext", e);
+ }
+ }
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
Review comment:
Should use @deprecated tag in the javadocs so that they are rendered
nicely.
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated
configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link
ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties.
This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
##########
@@ -56,26 +56,36 @@
}
/**
- * Returns a configured {@link SSLContext} from the populated
configuration values. This method is preferred
- * over the overloaded method which accepts the deprecated {@link
ClientAuth} enum.
+ * Create and initialize {@link SSLContext} using configured properties.
This method is preferred over deprecated
+ * create methods due to not requiring a client authentication policy.
+ *
+ * @return {@link SSLContext} initialized using configured properties
+ */
+ SSLContext createContext();
+
+ /**
+ * Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
+ * due to {@link org.apache.nifi.security.util.ClientAuth} not being
applicable or used when initializing the
+ * {@link SSLContext}
*
* @param clientAuth the desired level of client authentication
* @return the configured SSLContext
* @throws ProcessException if there is a problem configuring the context
*/
- SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth
clientAuth) throws ProcessException;
+ @Deprecated
+ SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth
clientAuth) throws ProcessException;
/**
* Returns a configured {@link SSLContext} from the populated
configuration values. This method is deprecated
Review comment:
Should use @deprecated tag
##########
File path:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java
##########
@@ -193,7 +193,7 @@
.description("Client Authentication policy for TLS connections.
Required when SSL Context Service configured.")
.required(false)
.allowableValues(ClientAuth.values())
- .defaultValue(ClientAuth.REQUIRED.name())
Review comment:
I don't think we want to make this change. The default value should
always lean toward being more secure, not less secure. And if I set an SSL
Context on the processor, I would assume mutual auth is going to happen unless
i explicitly change it. This is especially true, since that's always been the
behavior in the past.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
