Skip SSL validation when calling Cloud Foundry
Update CloudFoundrySecurityService so that SSL validation is not required. We're unlikely to have configured public keys for the REST endpoints we need to call. Since the endpoints are provided via environment variables we can implicitly trust them. See gh-7108pull/7387/head
Madhura Bhave
8 years ago
committed by
Phillip Webb
parent
862a06eb7a
commit
a77cfc3b0e
@ -0,0 +1,93 @@
|
||||
/*
|
||||
* Copyright 2012-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.actuate.cloudfoundry;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import javax.net.ssl.HostnameVerifier;
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import org.springframework.http.client.SimpleClientHttpRequestFactory;
|
||||
|
||||
/**
|
||||
* {@link SimpleClientHttpRequestFactory} that skips SSL certificate verification.
|
||||
*
|
||||
* @author Madhura Bhave
|
||||
*/
|
||||
class SkipSslVerificationHttpRequestFactory extends SimpleClientHttpRequestFactory {
|
||||
|
||||
@Override
|
||||
protected void prepareConnection(HttpURLConnection connection, String httpMethod)
|
||||
throws IOException {
|
||||
if (connection instanceof HttpsURLConnection) {
|
||||
prepareHttpsConnection((HttpsURLConnection) connection);
|
||||
}
|
||||
super.prepareConnection(connection, httpMethod);
|
||||
}
|
||||
|
||||
private void prepareHttpsConnection(HttpsURLConnection connection) {
|
||||
connection.setHostnameVerifier(new SkipHostnameVerifier());
|
||||
try {
|
||||
connection.setSSLSocketFactory(createSslSocketFactory());
|
||||
}
|
||||
catch (Exception ex) {
|
||||
// Ignore
|
||||
}
|
||||
}
|
||||
|
||||
private SSLSocketFactory createSslSocketFactory() throws Exception {
|
||||
SSLContext context = SSLContext.getInstance("TLS");
|
||||
context.init(null, new TrustManager[] { new SkipX509TrustManager() },
|
||||
new SecureRandom());
|
||||
return context.getSocketFactory();
|
||||
}
|
||||
|
||||
private class SkipHostnameVerifier implements HostnameVerifier {
|
||||
|
||||
@Override
|
||||
public boolean verify(String s, SSLSession sslSession) {
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private static class SkipX509TrustManager implements X509TrustManager {
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getAcceptedIssuers() {
|
||||
return new X509Certificate[0];
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkClientTrusted(X509Certificate[] chain, String authType) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(X509Certificate[] chain, String authType) {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
@ -0,0 +1,84 @@
|
||||
/*
|
||||
* Copyright 2012-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.actuate.cloudfoundry;
|
||||
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
|
||||
import org.hamcrest.Matcher;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
|
||||
import org.springframework.boot.context.embedded.EmbeddedServletContainer;
|
||||
import org.springframework.boot.context.embedded.ExampleServlet;
|
||||
import org.springframework.boot.context.embedded.Ssl;
|
||||
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
|
||||
import org.springframework.boot.web.servlet.ServletRegistrationBean;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.web.client.ResourceAccessException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.hamcrest.Matchers.instanceOf;
|
||||
|
||||
/**
|
||||
* Test for {@link SkipSslVerificationHttpRequestFactory}.
|
||||
*/
|
||||
public class SkipSslVerificationHttpRequestFactoryTests {
|
||||
|
||||
@Rule
|
||||
public ExpectedException thrown = ExpectedException.none();
|
||||
|
||||
@Test
|
||||
public void restCallToSelfSignedServershouldNotThrowSslException() throws Exception {
|
||||
String httpsUrl = getHttpsUrl();
|
||||
SkipSslVerificationHttpRequestFactory requestFactory = new SkipSslVerificationHttpRequestFactory();
|
||||
RestTemplate restTemplate = new RestTemplate(requestFactory);
|
||||
ResponseEntity<String> responseEntity = restTemplate.getForEntity(httpsUrl,
|
||||
String.class);
|
||||
assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);
|
||||
this.thrown.expect(ResourceAccessException.class);
|
||||
this.thrown.expectCause(isSSLHandshakeException());
|
||||
RestTemplate otherRestTemplate = new RestTemplate();
|
||||
otherRestTemplate.getForEntity(httpsUrl, String.class);
|
||||
}
|
||||
|
||||
private Matcher<Throwable> isSSLHandshakeException() {
|
||||
return instanceOf(SSLHandshakeException.class);
|
||||
}
|
||||
|
||||
private String getHttpsUrl() {
|
||||
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory(
|
||||
0);
|
||||
factory.setSsl(getSsl("password", "classpath:test.jks"));
|
||||
EmbeddedServletContainer container = factory.getEmbeddedServletContainer(
|
||||
new ServletRegistrationBean(new ExampleServlet(), "/hello"));
|
||||
container.start();
|
||||
return "https://localhost:" + container.getPort() + "/hello";
|
||||
}
|
||||
|
||||
private Ssl getSsl(String keyPassword, String keyStore) {
|
||||
Ssl ssl = new Ssl();
|
||||
ssl.setEnabled(true);
|
||||
ssl.setKeyPassword(keyPassword);
|
||||
ssl.setKeyStore(keyStore);
|
||||
ssl.setKeyStorePassword("secret");
|
||||
return ssl;
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue