From b3dff2789104e11f0b7ba9e47385ead9a6166d53 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 21 Nov 2014 12:21:25 +0100 Subject: Add TLS support for thrift connection to master, switch to TLSv1.2 everywhere --- .../filetransfer/ThriftConnection.java | 103 ++++++++++++++++++--- 1 file changed, 90 insertions(+), 13 deletions(-) (limited to 'src/main/java/org/openslx/satellitedaemon/filetransfer/ThriftConnection.java') diff --git a/src/main/java/org/openslx/satellitedaemon/filetransfer/ThriftConnection.java b/src/main/java/org/openslx/satellitedaemon/filetransfer/ThriftConnection.java index 2196c5e..040b61b 100644 --- a/src/main/java/org/openslx/satellitedaemon/filetransfer/ThriftConnection.java +++ b/src/main/java/org/openslx/satellitedaemon/filetransfer/ThriftConnection.java @@ -2,9 +2,18 @@ package org.openslx.satellitedaemon.filetransfer; import java.io.FileNotFoundException; import java.io.IOException; +import java.net.Socket; +import java.net.UnknownHostException; import java.nio.ByteBuffer; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; import java.util.List; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; + import org.apache.log4j.Logger; import org.apache.thrift.TException; import org.apache.thrift.protocol.TBinaryProtocol; @@ -40,6 +49,8 @@ import org.openslx.satellitedaemon.db.DbImage.Status; */ public class ThriftConnection { + private static final int MAX_MSG_LEN = 30 * 1000 * 1000; + private static ThreadLocal client = new ThreadLocal(); private static ServerSessionData sSD = null; private static Logger log = Logger.getLogger( ThriftConnection.class ); @@ -54,7 +65,7 @@ public class ThriftConnection * connection is ok, it calls submitImage with CRCsum in List. * * @return returns 'null' if there is a problem. - * @throws ImageDataException + * @throws ImageDataException */ public static UploadData getUploadInfos( ImageData imDat, String path ) throws ImageDataException { @@ -162,6 +173,22 @@ public class ThriftConnection return null; } + /** + * Returns true iff the server is reachable and its ping method + * returns true. + * + * @return sausages + */ + public static boolean ping() + { + ImageServer.Client theClient = getConnection( false ); + try { + return theClient != null && theClient.ping(); + } catch ( TException e ) { + return false; + } + } + /***********************************************************************************************/ /** * This method checks if there is already a working connection. If not, @@ -171,8 +198,38 @@ public class ThriftConnection * @return returns the client if successful. */ private static ImageServer.Client getConnection() + { + return getConnection( true ); + } + + /** + * Get established connection, only authenticate if needAuth is set, otherwise + * we just make sure we're connected. + * + * @param needAuth authenticate to server? + * @return + */ + private static ImageServer.Client getConnection( boolean needAuth ) { ImageServer.Client theClient = client.get(); + + if ( !needAuth ) { + try { + theClient.ping(); + } catch ( Exception e ) { + // Need new client, connection is bad + theClient = newClient(); + try { + theClient.ping(); + } catch ( Exception e1 ) { + // No luck today :( + theClient = null; + } + } + return theClient; + } + + // Want a connected authenticated client boolean isAuthenticated; if ( theClient == null ) { @@ -237,22 +294,39 @@ public class ThriftConnection { final ImageServer.Client newClient; try { - TTransport transport = new TFramedTransport( new TSocket( - Globals.getMasterserverHost(), Globals.getThriftPort(), 8000 ) ); - transport.open(); + TTransport transport; + if ( Globals.getThriftTls() ) { + SSLContext sslContext = SSLContext.getInstance( "TLSv1.2" ); + sslContext.init( null, null, null ); + SSLSocketFactory sslsocketfactory = sslContext.getSocketFactory(); + Socket sock = sslsocketfactory.createSocket( Globals.getMasterserverHost(), Globals.getThriftPort() ); + sock.setSoTimeout( 8000 ); + transport = new TFramedTransport( new TSocket( sock ), MAX_MSG_LEN ); + } else { + transport = new TFramedTransport( new TSocket( + Globals.getMasterserverHost(), Globals.getThriftPort(), 8000 ), MAX_MSG_LEN ); + transport.open(); + } TProtocol protocol = new TBinaryProtocol( transport ); newClient = new ImageServer.Client( protocol ); - log.debug( "ThriftConnection: Made a new Client" ); + log.debug( "ThriftConnection: Made a new Client (TLS=" + Globals.getThriftTls() + ")" ); + client.set( newClient ); + return newClient; } catch ( TTransportException e ) { log.error( "Transport could not be opened. Couldn't create new client.", e ); - return null; + } catch ( UnknownHostException e ) { + log.error( "Could not resolve host name of master server", e ); + } catch ( IOException e ) { + log.error( "Unknown error connecting to master", e ); + } catch ( NoSuchAlgorithmException | KeyManagementException e ) { + log.error( "No valid TLS algorithm found", e ); } - client.set( newClient ); - return newClient; + return null; } /** * Publish new user to master-server, which insert it to his db. + * * @param userInfo * @return true, if successful. */ @@ -278,15 +352,16 @@ public class ThriftConnection /** * Register new, by master unknown satellite - server with organizationId, * ipAddress and key - information. + * * @param organizationId * @param ipAddress * @param modulus * @param exponent - * @return true, if successful. + * @return true, if successful. */ public static boolean registerSatellite( String organizationId, String ipAddress, String modulus, String exponent ) { - ImageServer.Client theClient = client.get(); + ImageServer.Client theClient = getConnection( false ); if ( theClient == null ) { // There is no client instance for this thread, create a new one @@ -305,16 +380,18 @@ public class ThriftConnection return false; } } - + /** * Update in master - DB existing satellite - ipAddress. + * * @param ipAddress * @return true, if successful. */ - public static boolean updateSatelliteAddress(String ipAddress) { + public static boolean updateSatelliteAddress( String ipAddress ) + { ImageServer.Client theClient = null; theClient = getConnection(); - if ( theClient == null) { + if ( theClient == null ) { log.error( "Client was null!" ); return false; } -- cgit v1.2.3-55-g7522