Enable TLS support for thrift connection aswell

author: Simon Rettberg 2014-11-20 18:44:34 +0100
committer: Simon Rettberg 2014-11-20 18:44:34 +0100
commit: 7b53ff287de99e84e2ab7f6b21763f24194ba13e (patch)
tree: 2503f0f04ae0a1a411b44bd3289322a2c207c42b
parent: Fixed several things for successful up and download to satellite. (diff)
download: masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.tar.gz
masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.tar.xz
masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.zip
3 files changed, 92 insertions, 14 deletions
diff --git a/src/main/java/org/openslx/imagemaster/Globals.java b/src/main/java/org/openslx/imagemaster/Globals.java
index 8933c00..c33f3fe 100644
--- a/src/main/java/org/openslx/imagemaster/Globals.java
+++ b/src/main/java/org/openslx/imagemaster/Globals.java
@@ -5,7 +5,7 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.Properties;
 
-import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.openslx.imagemaster.util.Util;
 
diff --git a/src/main/java/org/openslx/imagemaster/thrift/server/BinaryListener.java b/src/main/java/org/openslx/imagemaster/thrift/server/BinaryListener.java
index ebacbfc..d7a3c12 100644
--- a/src/main/java/org/openslx/imagemaster/thrift/server/BinaryListener.java
+++ b/src/main/java/org/openslx/imagemaster/thrift/server/BinaryListener.java
@@ -1,37 +1,108 @@
 package org.openslx.imagemaster.thrift.server;
 
+import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.TimeUnit;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+
 import org.apache.log4j.Logger;
 import org.apache.thrift.protocol.TProtocolFactory;
 import org.apache.thrift.server.THsHaServer;
 import org.apache.thrift.server.TServer;
+import org.apache.thrift.server.TThreadPoolServer;
+import org.apache.thrift.transport.TFramedTransport;
 import org.apache.thrift.transport.TNonblockingServerSocket;
 import org.apache.thrift.transport.TNonblockingServerTransport;
+import org.apache.thrift.transport.TSSLTransportFactory;
+import org.apache.thrift.transport.TSSLTransportFactory.TSSLTransportParameters;
+import org.apache.thrift.transport.TServerTransport;
 import org.apache.thrift.transport.TTransportException;
+import org.openslx.imagemaster.Globals;
 import org.openslx.imagemaster.thrift.iface.ImageServer;
 
 public class BinaryListener implements Runnable
 {
+	private static final int MAX_MSG_LEN = 30 * 1000 * 1000;
+
+	private final ImageServer.Processor<ImageServerHandler> processor = new ImageServer.Processor<ImageServerHandler>( new ImageServerHandler() );
+	final TProtocolFactory protFactory = new TBinaryProtocolSafe.Factory( true, true );
+
 	private static Logger log = Logger.getLogger( BinaryListener.class );
+	final TServer server;
 
 	@Override
 	public void run()
 	{
-		final ImageServerHandler handler = new ImageServerHandler();
-		final ImageServer.Processor<ImageServerHandler> processor = new ImageServer.Processor<ImageServerHandler>( handler );
-		final TProtocolFactory protFactory = new TBinaryProtocolSafe.Factory( true, true );
-		final TNonblockingServerTransport transport;
+		log.info( "Starting Binary Thrift" );
+		server.serve();
+		log.info( "Stopped Binary Thrift" );
+		System.exit( 1 ); // Exit so the server can fully restart
+	}
+
+	public BinaryListener( int port, boolean secure ) throws TTransportException, NoSuchAlgorithmException
+	{
+		if ( secure )
+			server = initSecure( port );
+		else
+			server = initNormal( port );
+	}
+
+	/**
+	 * Listen with TLS wrapping - has to use the threadpool server, since encrypted
+	 * servers cannot use nonblocking sockets :(
+	 * 
+	 * @param port listen port
+	 * @return the server
+	 * @throws NoSuchAlgorithmException
+	 * @throws TTransportException
+	 */
+	private TServer initSecure( int port ) throws NoSuchAlgorithmException, TTransportException
+	{
+		SSLContext context = SSLContext.getDefault();
+		SSLSocketFactory sf = context.getSocketFactory();
+		String[] cipherSuites = sf.getSupportedCipherSuites();
+		// TODO: Remove insecure ones
+		final TSSLTransportParameters params = new TSSLTransportParameters( "TLS", cipherSuites );
+		params.setKeyStore( Globals.getSslKeystoreFile(), Globals.getSslKeystorePassword() );
+		TServerTransport serverTransport;
 		try {
-			transport = new TNonblockingServerSocket( 9090 );
+			serverTransport = TSSLTransportFactory.getServerSocket( port, 0, null, params );
 		} catch ( TTransportException e ) {
-			log.fatal( "Could not listen on port 9090" );
-			return;
+			log.fatal( "Could not listen on port " + port );
+			throw e;
 		}
-		THsHaServer.Args args = new THsHaServer.Args( transport ).protocolFactory( protFactory ).processor( processor ).workerThreads( 8 );
-		args.maxReadBufferBytes = 30l * 1000l * 1000l;
-		TServer server = new THsHaServer( args );
-		log.info( "Starting Binary Thrift" );
-		server.serve();
-		System.exit(1);
+		TThreadPoolServer.Args args = new TThreadPoolServer.Args( serverTransport );
+		args.protocolFactory( protFactory );
+		args.processor( processor );
+		args.minWorkerThreads( 4 ).maxWorkerThreads( 256 );
+		args.requestTimeout( 30 ).requestTimeoutUnit( TimeUnit.SECONDS );
+		args.transportFactory( new TFramedTransport.Factory( MAX_MSG_LEN ) );
+		return new TThreadPoolServer( args );
+	}
+
+	/**
+	 * Create normal plain server, no encryption.
+	 * 
+	 * @param port listen port
+	 * @return server instance
+	 * @throws TTransportException
+	 */
+	public TServer initNormal( int port ) throws TTransportException
+	{
+		final TNonblockingServerTransport serverTransport;
+		try {
+			serverTransport = new TNonblockingServerSocket( port );
+		} catch ( TTransportException e ) {
+			log.fatal( "Could not listen on port " + port );
+			throw e;
+		}
+		THsHaServer.Args args = new THsHaServer.Args( serverTransport );
+		args.protocolFactory( protFactory );
+		args.processor( processor );
+		args.workerThreads( 8 );
+		args.maxReadBufferBytes = MAX_MSG_LEN;
+		return new THsHaServer( args );
 	}
 
 }
diff --git a/src/main/java/org/openslx/imagemaster/thrift/server/ImageServerHandler.java b/src/main/java/org/openslx/imagemaster/thrift/server/ImageServerHandler.java
index fbe6d6b..f2f88d0 100644
--- a/src/main/java/org/openslx/imagemaster/thrift/server/ImageServerHandler.java
+++ b/src/main/java/org/openslx/imagemaster/thrift/server/ImageServerHandler.java
@@ -111,4 +111,11 @@ public class ImageServerHandler implements ImageServer.Iface
 	{
 		return ApiServer.updateSatelliteAddress( serverSessionId, address );
 	}
+
+	@Override
+	public ServerSessionData addSession( String localPassword, UserInfo userInfo ) throws TException
+	{
+		// TODO Should be called from local web authenticator doing the ECP stuff
+		return null;
+	}
 }
author	Simon Rettberg	2014-11-20 18:44:34 +0100
committer	Simon Rettberg	2014-11-20 18:44:34 +0100
commit	7b53ff287de99e84e2ab7f6b21763f24194ba13e (patch)
tree	2503f0f04ae0a1a411b44bd3289322a2c207c42b
parent	Fixed several things for successful up and download to satellite. (diff)
download	masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.tar.gz masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.tar.xz masterserver-7b53ff287de99e84e2ab7f6b21763f24194ba13e.zip