1
0
mirror of https://github.com/google/nomulus synced 2026-07-10 10:02:50 +00:00

Compare commits

...

5 Commits

Author SHA1 Message Date
Lai Jiang c584de9f72 Respect certificate validity period (#391)
Client SSL handler already performs the necessary validation. Only tests are
added.

Server SSL handler does not currently check for the validity period of
the client certificate as the insecure trust manager is used. This PR
added the check but does not actually terminate the connection yet. It
will log the expired certificates so that we can contact the registrars
to update them.

Once we are certain that all certificates are updated, we can turn off
dryrun mode.

We should also consider checking if the certificate has too long a
validity period as it defeats the purpose of using regularly updated
certificates to deprecate insecure cipher suites.
2019-11-27 16:08:38 -05:00
Shicong Huang 9be5091c84 Add entity for reserved list (#381)
This PR added the Cloud SQL entity for reserved list.
2019-11-26 16:51:41 -05:00
Michael Muller 28499d23a0 Print filenames that need to be reformatted (#386)
* Print filenames that need to be reformatted

Print the names of all java files that need reformatting during the check and
reformat operations.
2019-11-26 13:20:27 -05:00
Ben McIlwain 961d7e88f4 Use Maps.transformEntries() utility method to improve Map composition (#387)
* Use Maps.transformEntries() utility method to improve Map composition
2019-11-26 12:20:00 -05:00
Weimin Yu 215de62fa7 Stop publish Cloud SQL schema jar to maven repo (#383)
* Stop publish Cloud SQL schema jar to maven repo

The original purpose of the maven publication is for
use in server/schema compatibility tests. A commandline
flag can direct a test run to use different versions of
the schema jar. However, this won't work due to dependency
locking.
2019-11-25 18:23:02 -05:00
26 changed files with 833 additions and 47 deletions
@@ -18,7 +18,6 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Predicates.equalTo;
import static com.google.common.base.Predicates.not;
import static com.google.common.collect.ImmutableMap.toImmutableMap;
import static com.google.common.collect.ImmutableSet.toImmutableSet;
import static com.google.common.collect.Maps.toMap;
import static google.registry.config.RegistryConfig.getSingletonCacheRefreshDuration;
@@ -41,6 +40,7 @@ import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSortedMap;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.common.collect.Ordering;
import com.google.common.collect.Range;
import com.google.common.net.InternetDomainName;
@@ -265,11 +265,8 @@ public class Registry extends ImmutableObject implements Buildable {
tld -> Key.create(getCrossTldKey(), Registry.class, tld));
Map<Key<Registry>, Registry> entities =
tm().doTransactionless(() -> ofy().load().keys(keysMap.values()));
return keysMap.entrySet().stream()
.collect(
toImmutableMap(
Map.Entry::getKey,
e -> Optional.ofNullable(entities.getOrDefault(e.getValue(), null))));
return Maps.transformEntries(
keysMap, (k, v) -> Optional.ofNullable(entities.getOrDefault(v, null)));
}
});
@@ -0,0 +1,147 @@
// Copyright 2019 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.schema.tld;
import static com.google.common.base.Preconditions.checkState;
import com.google.common.collect.ImmutableMap;
import google.registry.model.CreateAutoTimestamp;
import google.registry.model.ImmutableObject;
import google.registry.model.registry.label.ReservationType;
import java.util.Map;
import javax.annotation.Nullable;
import javax.persistence.CollectionTable;
import javax.persistence.Column;
import javax.persistence.ElementCollection;
import javax.persistence.Embeddable;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Index;
import javax.persistence.JoinColumn;
import javax.persistence.MapKeyColumn;
import javax.persistence.Table;
import org.joda.time.DateTime;
/**
* A list of reserved domain labels that are blocked from being registered for various reasons.
*
* <p>Note that the primary key of this entity is {@link #revisionId}, which is auto-generated by
* the database. So, if a retry of insertion happens after the previous attempt unexpectedly
* succeeds, we will end up with having two exact same reserved lists that differ only by
* revisionId. This is fine though, because we only use the list with the highest revisionId.
*/
@Entity
@Table(indexes = {@Index(columnList = "name", name = "reservedlist_name_idx")})
public class ReservedList extends ImmutableObject {
@Column(nullable = false)
private String name;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(nullable = false)
private Long revisionId;
@Column(nullable = false)
private CreateAutoTimestamp creationTimestamp = CreateAutoTimestamp.create(null);
@Column(nullable = false)
private Boolean shouldPublish;
@ElementCollection
@CollectionTable(
name = "ReservedEntry",
joinColumns = @JoinColumn(name = "revisionId", referencedColumnName = "revisionId"))
@MapKeyColumn(name = "domainLabel")
private Map<String, ReservedEntry> labelsToReservations;
@Embeddable
public static class ReservedEntry extends ImmutableObject {
@Column(nullable = false)
private ReservationType reservationType;
@Column(nullable = true)
private String comment;
private ReservedEntry(ReservationType reservationType, @Nullable String comment) {
this.reservationType = reservationType;
this.comment = comment;
}
// Hibernate requires this default constructor.
private ReservedEntry() {}
/** Constructs a {@link ReservedEntry} object. */
public static ReservedEntry create(ReservationType reservationType, @Nullable String comment) {
return new ReservedEntry(reservationType, comment);
}
/** Returns the reservation type for this entry. */
public ReservationType getReservationType() {
return reservationType;
}
/** Returns the comment for this entry. Retruns null if there is no comment. */
public String getComment() {
return comment;
}
}
private ReservedList(
String name, Boolean shouldPublish, Map<String, ReservedEntry> labelsToReservations) {
this.name = name;
this.shouldPublish = shouldPublish;
this.labelsToReservations = labelsToReservations;
}
// Hibernate requires this default constructor.
private ReservedList() {}
/** Constructs a {@link ReservedList} object. */
public static ReservedList create(
String name, Boolean shouldPublish, Map<String, ReservedEntry> labelsToReservations) {
return new ReservedList(name, shouldPublish, labelsToReservations);
}
/** Returns the name of the reserved list. */
public String getName() {
return name;
}
/** Returns the ID of this revision, or throws if null. */
public Long getRevisionId() {
checkState(
revisionId != null,
"revisionId is null because this object has not been persisted to the database yet");
return revisionId;
}
/** Returns the creation time of this revision of the reserved list. */
public DateTime getCreationTimestamp() {
return creationTimestamp.getTimestamp();
}
/** Returns a {@link Map} of domain labels to {@link ReservedEntry}. */
public ImmutableMap<String, ReservedEntry> getLabelsToReservations() {
return ImmutableMap.copyOf(labelsToReservations);
}
/** Returns true if the reserved list should be published. */
public Boolean getShouldPublish() {
return shouldPublish;
}
}
@@ -24,6 +24,7 @@
<class>google.registry.schema.tmch.ClaimsList</class>
<class>google.registry.model.transfer.BaseTransferObject</class>
<class>google.registry.schema.tld.PremiumList</class>
<class>google.registry.schema.tld.ReservedList</class>
<class>google.registry.model.domain.secdns.DelegationSignerData</class>
<class>google.registry.model.domain.DesignatedContact</class>
<class>google.registry.model.domain.DomainBase</class>
@@ -0,0 +1,53 @@
// Copyright 2019 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.schema.tld;
import static com.google.common.truth.Truth.assertThat;
import com.google.common.collect.ImmutableMap;
import google.registry.model.registry.label.ReservationType;
import google.registry.schema.tld.ReservedList.ReservedEntry;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
/** Unit tests for {@link ReservedList} */
@RunWith(JUnit4.class)
public class ReservedListTest {
@Test
public void verifyConstructorAndGetters_workCorrectly() {
ReservedList reservedList =
ReservedList.create(
"app",
false,
ImmutableMap.of(
"book",
ReservedEntry.create(ReservationType.ALLOWED_IN_SUNRISE, null),
"music",
ReservedEntry.create(
ReservationType.RESERVED_FOR_ANCHOR_TENANT, "reserved for anchor tenant")));
assertThat(reservedList.getName()).isEqualTo("app");
assertThat(reservedList.getShouldPublish()).isFalse();
assertThat(reservedList.getLabelsToReservations())
.containsExactly(
"book",
ReservedEntry.create(ReservationType.ALLOWED_IN_SUNRISE, null),
"music",
ReservedEntry.create(
ReservationType.RESERVED_FOR_ANCHOR_TENANT, "reserved for anchor tenant"));
}
}
@@ -0,0 +1,36 @@
-- Copyright 2019 The Nomulus Authors. All Rights Reserved.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
create table "ReservedEntry" (
revision_id int8 not null,
comment text,
reservation_type int4 not null,
domain_label text not null,
primary key (revision_id, domain_label)
);
create table "ReservedList" (
revision_id bigserial not null,
creation_timestamp timestamptz not null,
name text not null,
should_publish boolean not null,
primary key (revision_id)
);
create index reservedlist_name_idx on "ReservedList" (name);
alter table if exists "ReservedEntry"
add constraint FKgq03rk0bt1hb915dnyvd3vnfc
foreign key (revision_id)
references "ReservedList";
@@ -152,6 +152,22 @@
primary key (revision_id)
);
create table "ReservedEntry" (
revision_id int8 not null,
comment text,
reservation_type int4 not null,
domain_label text not null,
primary key (revision_id, domain_label)
);
create table "ReservedList" (
revision_id bigserial not null,
creation_timestamp timestamptz not null,
name text not null,
should_publish boolean not null,
primary key (revision_id)
);
alter table if exists "Domain_DelegationSignerData"
add constraint UK_2yp55erx1i51pa7gnb8bu7tjn unique (ds_data_key_tag);
@@ -166,6 +182,7 @@ create index idx_registry_lock_registrar_id on "RegistryLock" (registrar_id);
alter table if exists "RegistryLock"
add constraint idx_registry_lock_repo_id_revision_id unique (repo_id, revision_id);
create index reservedlist_name_idx on "ReservedList" (name);
alter table if exists "ClaimsEntry"
add constraint FK6sc6at5hedffc0nhdcab6ivuq
@@ -221,3 +238,8 @@ create index idx_registry_lock_registrar_id on "RegistryLock" (registrar_id);
add constraint FKo0gw90lpo1tuee56l0nb6y6g5
foreign key (revision_id)
references "PremiumList";
alter table if exists "ReservedEntry"
add constraint FKgq03rk0bt1hb915dnyvd3vnfc
foreign key (revision_id)
references "ReservedList";
@@ -141,6 +141,49 @@ CREATE SEQUENCE public."RegistryLock_revision_id_seq"
ALTER SEQUENCE public."RegistryLock_revision_id_seq" OWNED BY public."RegistryLock".revision_id;
--
-- Name: ReservedEntry; Type: TABLE; Schema: public; Owner: -
--
CREATE TABLE public."ReservedEntry" (
revision_id bigint NOT NULL,
comment text,
reservation_type integer NOT NULL,
domain_label text NOT NULL
);
--
-- Name: ReservedList; Type: TABLE; Schema: public; Owner: -
--
CREATE TABLE public."ReservedList" (
revision_id bigint NOT NULL,
creation_timestamp timestamp with time zone NOT NULL,
name text NOT NULL,
should_publish boolean NOT NULL
);
--
-- Name: ReservedList_revision_id_seq; Type: SEQUENCE; Schema: public; Owner: -
--
CREATE SEQUENCE public."ReservedList_revision_id_seq"
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
--
-- Name: ReservedList_revision_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: -
--
ALTER SEQUENCE public."ReservedList_revision_id_seq" OWNED BY public."ReservedList".revision_id;
--
-- Name: ClaimsList revision_id; Type: DEFAULT; Schema: public; Owner: -
--
@@ -162,6 +205,13 @@ ALTER TABLE ONLY public."PremiumList" ALTER COLUMN revision_id SET DEFAULT nextv
ALTER TABLE ONLY public."RegistryLock" ALTER COLUMN revision_id SET DEFAULT nextval('public."RegistryLock_revision_id_seq"'::regclass);
--
-- Name: ReservedList revision_id; Type: DEFAULT; Schema: public; Owner: -
--
ALTER TABLE ONLY public."ReservedList" ALTER COLUMN revision_id SET DEFAULT nextval('public."ReservedList_revision_id_seq"'::regclass);
--
-- Name: ClaimsEntry ClaimsEntry_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
@@ -202,6 +252,22 @@ ALTER TABLE ONLY public."RegistryLock"
ADD CONSTRAINT "RegistryLock_pkey" PRIMARY KEY (revision_id);
--
-- Name: ReservedEntry ReservedEntry_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
ALTER TABLE ONLY public."ReservedEntry"
ADD CONSTRAINT "ReservedEntry_pkey" PRIMARY KEY (revision_id, domain_label);
--
-- Name: ReservedList ReservedList_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
ALTER TABLE ONLY public."ReservedList"
ADD CONSTRAINT "ReservedList_pkey" PRIMARY KEY (revision_id);
--
-- Name: RegistryLock idx_registry_lock_repo_id_revision_id; Type: CONSTRAINT; Schema: public; Owner: -
--
@@ -231,6 +297,13 @@ CREATE INDEX idx_registry_lock_verification_code ON public."RegistryLock" USING
CREATE INDEX premiumlist_name_idx ON public."PremiumList" USING btree (name);
--
-- Name: reservedlist_name_idx; Type: INDEX; Schema: public; Owner: -
--
CREATE INDEX reservedlist_name_idx ON public."ReservedList" USING btree (name);
--
-- Name: ClaimsEntry fk6sc6at5hedffc0nhdcab6ivuq; Type: FK CONSTRAINT; Schema: public; Owner: -
--
@@ -239,6 +312,14 @@ ALTER TABLE ONLY public."ClaimsEntry"
ADD CONSTRAINT fk6sc6at5hedffc0nhdcab6ivuq FOREIGN KEY (revision_id) REFERENCES public."ClaimsList"(revision_id);
--
-- Name: ReservedEntry fkgq03rk0bt1hb915dnyvd3vnfc; Type: FK CONSTRAINT; Schema: public; Owner: -
--
ALTER TABLE ONLY public."ReservedEntry"
ADD CONSTRAINT fkgq03rk0bt1hb915dnyvd3vnfc FOREIGN KEY (revision_id) REFERENCES public."ReservedList"(revision_id);
--
-- Name: PremiumEntry fko0gw90lpo1tuee56l0nb6y6g5; Type: FK CONSTRAINT; Schema: public; Owner: -
--
@@ -41,6 +41,16 @@ where:
SCRIPT_DIR="$(realpath $(dirname $0))"
function showNoncompliantFiles() {
local forkPoint="$1"
local message="$2"
git diff -U0 ${forkPoint} | \
${SCRIPT_DIR}/google-java-format-diff.py -p1 | \
awk -v "message=$message" \
'/\+\+\+ ([^ ]*)/ { print message $2 }' 1>&2
}
function callGoogleJavaFormatDiff() {
local forkPoint
forkPoint=$(git merge-base --fork-point origin/master)
@@ -48,10 +58,12 @@ function callGoogleJavaFormatDiff() {
local callResult
case "$1" in
"check")
showNoncompliantFiles "$forkPoint" "\033[1mNeeds formatting: "
callResult=$(git diff -U0 ${forkPoint} | \
${SCRIPT_DIR}/google-java-format-diff.py -p1 | wc -l)
;;
"format")
showNoncompliantFiles "$forkPoint" "\033[1mReformatting: "
callResult=$(git diff -U0 ${forkPoint} | \
${SCRIPT_DIR}/google-java-format-diff.py -p1 -i)
;;
@@ -60,6 +72,7 @@ function callGoogleJavaFormatDiff() {
${SCRIPT_DIR}/google-java-format-diff.py -p1)
;;
esac
echo -e "\033[0m" 1>&2
echo "${callResult}"
exit 0
}
+1
View File
@@ -24,6 +24,7 @@ dependencies {
compile deps['io.netty:netty-handler']
compile deps['io.netty:netty-transport']
compile deps['javax.inject:javax.inject']
compile project(':util')
runtime deps['com.google.flogger:flogger-system-backend']
runtime deps['io.netty:netty-tcnative-boringssl-static']
@@ -1,13 +1,30 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -15,6 +32,15 @@ io.netty:netty-common:4.1.31.Final
io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.yaml:snakeyaml:1.17
@@ -1,13 +1,30 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -15,6 +32,15 @@ io.netty:netty-common:4.1.31.Final
io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.yaml:snakeyaml:1.17
@@ -1,14 +1,31 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger-system-backend:0.1
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -17,6 +34,15 @@ io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-tcnative-boringssl-static:2.0.22.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.yaml:snakeyaml:1.17
@@ -1,14 +1,31 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger-system-backend:0.1
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -17,6 +34,15 @@ io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-tcnative-boringssl-static:2.0.22.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.yaml:snakeyaml:1.17
@@ -1,14 +1,31 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger-system-backend:0.1
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -17,6 +34,15 @@ io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-tcnative-boringssl-static:2.0.22.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.yaml:snakeyaml:1.17
@@ -1,16 +1,32 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.google.truth:truth:1.0
com.googlecode.java-diff-utils:diffutils:1.3.0
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -18,11 +34,20 @@ io.netty:netty-common:4.1.31.Final
io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
junit:junit:4.12
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.bouncycastle:bcpkix-jdk15on:1.61
org.bouncycastle:bcprov-jdk15on:1.61
org.checkerframework:checker-compat-qual:2.5.5
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.hamcrest:hamcrest-core:1.3
org.yaml:snakeyaml:1.17
@@ -1,16 +1,32 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.google.truth:truth:1.0
com.googlecode.java-diff-utils:diffutils:1.3.0
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -18,11 +34,20 @@ io.netty:netty-common:4.1.31.Final
io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
junit:junit:4.12
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.bouncycastle:bcpkix-jdk15on:1.61
org.bouncycastle:bcprov-jdk15on:1.61
org.checkerframework:checker-compat-qual:2.5.5
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.hamcrest:hamcrest-core:1.3
org.yaml:snakeyaml:1.17
@@ -1,17 +1,33 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger-system-backend:0.1
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.google.truth:truth:1.0
com.googlecode.java-diff-utils:diffutils:1.3.0
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -20,11 +36,20 @@ io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-tcnative-boringssl-static:2.0.22.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
junit:junit:4.12
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.bouncycastle:bcpkix-jdk15on:1.61
org.bouncycastle:bcprov-jdk15on:1.61
org.checkerframework:checker-compat-qual:2.5.5
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.hamcrest:hamcrest-core:1.3
org.yaml:snakeyaml:1.17
@@ -1,17 +1,33 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
com.fasterxml.jackson.core:jackson-core:2.9.9
com.google.api-client:google-api-client:1.29.2
com.google.appengine:appengine-api-1.0-sdk:1.9.48
com.google.appengine:appengine-testing:1.9.58
com.google.auth:google-auth-library-credentials:0.16.1
com.google.auth:google-auth-library-oauth2-http:0.16.1
com.google.auto.value:auto-value-annotations:1.6.3
com.google.auto.value:auto-value:1.6.3
com.google.code.findbugs:jsr305:3.0.2
com.google.dagger:dagger:2.21
com.google.errorprone:error_prone_annotations:2.3.2
com.google.flogger:flogger-system-backend:0.1
com.google.flogger:flogger:0.1
com.google.guava:failureaccess:1.0.1
com.google.guava:guava:28.1-jre
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.http-client:google-http-client-jackson2:1.30.1
com.google.http-client:google-http-client:1.30.1
com.google.j2objc:j2objc-annotations:1.3
com.google.oauth-client:google-oauth-client:1.29.2
com.google.re2j:re2j:1.1
com.google.truth:truth:1.0
com.googlecode.java-diff-utils:diffutils:1.3.0
com.ibm.icu:icu4j:57.1
commons-codec:commons-codec:1.11
commons-logging:commons-logging:1.2
io.grpc:grpc-context:1.19.0
io.netty:netty-buffer:4.1.31.Final
io.netty:netty-codec-http:4.1.31.Final
io.netty:netty-codec:4.1.31.Final
@@ -20,11 +36,20 @@ io.netty:netty-handler:4.1.31.Final
io.netty:netty-resolver:4.1.31.Final
io.netty:netty-tcnative-boringssl-static:2.0.22.Final
io.netty:netty-transport:4.1.31.Final
io.opencensus:opencensus-api:0.21.0
io.opencensus:opencensus-contrib-http-util:0.21.0
javax.activation:activation:1.1
javax.inject:javax.inject:1
javax.mail:mail:1.4
javax.xml.bind:jaxb-api:2.3.0
joda-time:joda-time:2.9.2
junit:junit:4.12
org.apache.httpcomponents:httpclient:4.5.8
org.apache.httpcomponents:httpcore:4.4.11
org.bouncycastle:bcpkix-jdk15on:1.61
org.bouncycastle:bcprov-jdk15on:1.61
org.checkerframework:checker-compat-qual:2.5.5
org.checkerframework:checker-qual:2.8.1
org.codehaus.mojo:animal-sniffer-annotations:1.18
org.hamcrest:hamcrest-core:1.3
org.yaml:snakeyaml:1.17
@@ -14,9 +14,13 @@
package google.registry.networking.handler;
import static com.google.common.base.Preconditions.checkArgument;
import static google.registry.util.X509Utils.getCertificateHash;
import com.google.common.collect.ImmutableList;
import com.google.common.flogger.FluentLogger;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelHandler.Sharable;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.embedded.EmbeddedChannel;
@@ -29,6 +33,8 @@ import io.netty.util.AttributeKey;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.Promise;
import java.security.PrivateKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.function.Supplier;
@@ -58,6 +64,8 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
private final boolean requireClientCert;
// TODO(jianglai): Always validate client certs (if required).
private final boolean validateClientCert;
private final SslProvider sslProvider;
// We use suppliers for the key/cert pair because they are fetched and cached from GCS, and can
// change when the artifacts on GCS changes.
@@ -66,11 +74,16 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
public SslServerInitializer(
boolean requireClientCert,
boolean validateClientCert,
SslProvider sslProvider,
Supplier<PrivateKey> privateKeySupplier,
Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
logger.atInfo().log("Server SSL Provider: %s", sslProvider);
checkArgument(
requireClientCert || !validateClientCert,
"Cannot validate client certificate if client certificate is not required.");
this.requireClientCert = requireClientCert;
this.validateClientCert = validateClientCert;
this.sslProvider = sslProvider;
this.privateKeySupplier = privateKeySupplier;
this.certificatesSupplier = certificatesSupplier;
@@ -95,10 +108,23 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
.addListener(
future -> {
if (future.isSuccess()) {
Promise<X509Certificate> unusedPromise =
clientCertificatePromise.setSuccess(
(X509Certificate)
sslHandler.engine().getSession().getPeerCertificates()[0]);
X509Certificate clientCertificate =
(X509Certificate)
sslHandler.engine().getSession().getPeerCertificates()[0];
try {
clientCertificate.checkValidity();
Promise<X509Certificate> unusedPromise =
clientCertificatePromise.setSuccess(clientCertificate);
} catch (CertificateNotYetValidException | CertificateExpiredException e) {
logger.atWarning().withCause(e).log(
"Client certificate is not valid.\nHash: %s",
getCertificateHash(clientCertificate));
if (validateClientCert) {
Promise<X509Certificate> unusedPromise =
clientCertificatePromise.setFailure(e);
ChannelFuture unusedFuture2 = channel.close();
}
}
} else {
Promise<X509Certificate> unusedPromise =
clientCertificatePromise.setFailure(future.cause());
@@ -61,7 +61,9 @@ public final class NettyRule extends ExternalResource {
// Handler attached to client's channel to record the response received.
private DumpHandler dumpHandler;
private Channel channel;
private Channel clientChannel;
private Channel serverChannel;
public EventLoopGroup getEventLoopGroup() {
return eventLoopGroup;
@@ -79,6 +81,7 @@ public final class NettyRule extends ExternalResource {
ch.pipeline().addLast(handlers);
// Add the "echoHandler" last to log the incoming message and send it back
ch.pipeline().addLast(echoHandler);
serverChannel = ch;
}
};
ServerBootstrap sb =
@@ -109,11 +112,11 @@ public final class NettyRule extends ExternalResource {
.group(eventLoopGroup)
.channel(LocalChannel.class)
.handler(clientInitializer);
channel = b.connect(localAddress).syncUninterruptibly().channel();
clientChannel = b.connect(localAddress).syncUninterruptibly().channel();
}
void checkReady() {
checkState(channel != null, "Must call setUpClient to finish NettyRule setup");
checkState(clientChannel != null, "Must call setUpClient to finish NettyRule setup");
}
/**
@@ -125,16 +128,21 @@ public final class NettyRule extends ExternalResource {
*/
void assertThatMessagesWork() throws Exception {
checkReady();
assertThat(channel.isActive()).isTrue();
assertThat(clientChannel.isActive()).isTrue();
writeToChannelAndFlush(channel, "Hello, world!");
writeToChannelAndFlush(clientChannel, "Hello, world!");
assertThat(echoHandler.getRequestFuture().get()).isEqualTo("Hello, world!");
assertThat(dumpHandler.getResponseFuture().get()).isEqualTo("Hello, world!");
}
Channel getChannel() {
Channel getClientChannel() {
checkReady();
return channel;
return clientChannel;
}
Channel getServerChannel() {
checkReady();
return serverChannel;
}
ThrowableSubject assertThatServerRootCause() {
@@ -18,6 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
import static google.registry.networking.handler.SslInitializerTestUtils.getKeyPair;
import static google.registry.networking.handler.SslInitializerTestUtils.setUpSslChannel;
import static google.registry.networking.handler.SslInitializerTestUtils.signKeyPair;
import static google.registry.networking.handler.SslInitializerTestUtils.verifySslExcpetion;
import com.google.common.collect.ImmutableList;
import io.netty.channel.Channel;
@@ -39,7 +40,12 @@ import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.function.Function;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
@@ -159,7 +165,7 @@ public class SslClientInitializerTest {
// exceptions.
nettyRule.assertThatClientRootCause().isInstanceOf(CertPathBuilderException.class);
nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
assertThat(nettyRule.getChannel().isActive()).isFalse();
assertThat(nettyRule.getClientChannel().isActive()).isFalse();
}
@Test
@@ -184,13 +190,81 @@ public class SslClientInitializerTest {
sslProvider, hostProvider, portProvider, ImmutableList.of(ssc.cert()), null, null);
nettyRule.setUpClient(localAddress, sslClientInitializer);
setUpSslChannel(nettyRule.getChannel(), cert);
setUpSslChannel(nettyRule.getClientChannel(), cert);
nettyRule.assertThatMessagesWork();
// Verify that the SNI extension is sent during handshake.
assertThat(sniHostReceived).isEqualTo(SSL_HOST);
}
@Test
public void testFailure_customTrustManager_serverCertExpired() throws Exception {
LocalAddress localAddress =
new LocalAddress("CUSTOM_TRUST_MANAGER_SERVE_CERT_EXPIRED_" + sslProvider);
// Generate a new key pair.
KeyPair keyPair = getKeyPair();
// Generate a self signed certificate, and use it to sign the key pair.
SelfSignedCertificate ssc = new SelfSignedCertificate();
X509Certificate cert =
signKeyPair(
ssc,
keyPair,
SSL_HOST,
Date.from(Instant.now().minus(Duration.ofDays(2))),
Date.from(Instant.now().minus(Duration.ofDays(1))));
// Set up the server to use the signed cert and private key to perform handshake;
PrivateKey privateKey = keyPair.getPrivate();
nettyRule.setUpServer(localAddress, getServerHandler(false, privateKey, cert));
// Set up the client to trust the self signed cert used to sign the cert that server provides.
SslClientInitializer<LocalChannel> sslClientInitializer =
new SslClientInitializer<>(
sslProvider, hostProvider, portProvider, ImmutableList.of(ssc.cert()), null, null);
nettyRule.setUpClient(localAddress, sslClientInitializer);
verifySslExcpetion(
nettyRule.getClientChannel(),
channel -> channel.pipeline().get(SslHandler.class).handshakeFuture().get(),
CertificateExpiredException.class);
}
@Test
public void testFailure_customTrustManager_serverCertNotYetValid() throws Exception {
LocalAddress localAddress =
new LocalAddress("CUSTOM_TRUST_MANAGER_SERVE_CERT_NOT_YET_VALID_" + sslProvider);
// Generate a new key pair.
KeyPair keyPair = getKeyPair();
// Generate a self signed certificate, and use it to sign the key pair.
SelfSignedCertificate ssc = new SelfSignedCertificate();
X509Certificate cert =
signKeyPair(
ssc,
keyPair,
SSL_HOST,
Date.from(Instant.now().plus(Duration.ofDays(1))),
Date.from(Instant.now().plus(Duration.ofDays(2))));
// Set up the server to use the signed cert and private key to perform handshake;
PrivateKey privateKey = keyPair.getPrivate();
nettyRule.setUpServer(localAddress, getServerHandler(false, privateKey, cert));
// Set up the client to trust the self signed cert used to sign the cert that server provides.
SslClientInitializer<LocalChannel> sslClientInitializer =
new SslClientInitializer<>(
sslProvider, hostProvider, portProvider, ImmutableList.of(ssc.cert()), null, null);
nettyRule.setUpClient(localAddress, sslClientInitializer);
verifySslExcpetion(
nettyRule.getClientChannel(),
channel -> channel.pipeline().get(SslHandler.class).handshakeFuture().get(),
CertificateNotYetValidException.class);
}
@Test
public void testSuccess_customTrustManager_acceptSelfSignedCert_clientCertRequired()
throws Exception {
@@ -215,7 +289,7 @@ public class SslClientInitializerTest {
() -> ImmutableList.of(clientSsc.cert()));
nettyRule.setUpClient(localAddress, sslClientInitializer);
SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverSsc.cert());
SSLSession sslSession = setUpSslChannel(nettyRule.getClientChannel(), serverSsc.cert());
nettyRule.assertThatMessagesWork();
// Verify that the SNI extension is sent during handshake.
@@ -255,6 +329,6 @@ public class SslClientInitializerTest {
nettyRule.assertThatClientRootCause().isInstanceOf(CertificateException.class);
nettyRule.assertThatClientRootCause().hasMessageThat().contains(SSL_HOST);
nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
assertThat(nettyRule.getChannel().isActive()).isFalse();
assertThat(nettyRule.getClientChannel().isActive()).isFalse();
}
}
@@ -15,8 +15,11 @@
package google.registry.networking.handler;
import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.JUnitBackports.assertThrows;
import com.google.common.base.Throwables;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.math.BigInteger;
@@ -28,6 +31,7 @@ import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.concurrent.ExecutionException;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@@ -61,17 +65,17 @@ public final class SslInitializerTestUtils {
}
/**
* Signs the given key pair with the given self signed certificate.
* Signs the given key pair with the given self signed certificate to generate a certificate with
* the given validity range.
*
* @return signed public key (of the key pair) certificate
*/
public static X509Certificate signKeyPair(
SelfSignedCertificate ssc, KeyPair keyPair, String hostname) throws Exception {
SelfSignedCertificate ssc, KeyPair keyPair, String hostname, Date from, Date to)
throws Exception {
X500Name subjectDnName = new X500Name("CN=" + hostname);
BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis());
X500Name issuerDnName = new X500Name(ssc.cert().getIssuerDN().getName());
Date from = Date.from(Instant.now().minus(Duration.ofDays(1)));
Date to = Date.from(Instant.now().plus(Duration.ofDays(1)));
SubjectPublicKeyInfo subPubKeyInfo =
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
AlgorithmIdentifier sigAlgId =
@@ -89,6 +93,22 @@ public final class SslInitializerTestUtils {
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
}
/**
* Signs the given key pair with the given self signed certificate to generate a certificate that
* is valid from yesterday to tomorrow.
*
* @return signed public key (of the key pair) certificate
*/
public static X509Certificate signKeyPair(
SelfSignedCertificate ssc, KeyPair keyPair, String hostname) throws Exception {
return signKeyPair(
ssc,
keyPair,
hostname,
Date.from(Instant.now().minus(Duration.ofDays(1))),
Date.from(Instant.now().plus(Duration.ofDays(1))));
}
/**
* Verifies tha the SSL channel is established as expected, and also sends a message to the server
* and verifies if it is echoed back correctly.
@@ -110,4 +130,25 @@ public final class SslInitializerTestUtils {
// Returns the SSL session for further assertion.
return sslHandler.engine().getSession();
}
/** Verifies tha the SSL channel cannot be established due to a given exception. */
static void verifySslExcpetion(
Channel channel, CheckedConsumer<Channel> operation, Class<? extends Exception> cause)
throws Exception {
// Extract SSL exception from the handshake future.
Exception exception = assertThrows(ExecutionException.class, () -> operation.accept(channel));
// Verify that the exception is caused by the expected cause.
assertThat(Throwables.getRootCause(exception)).isInstanceOf(cause);
// Ensure that the channel is closed. If this step times out, the channel is not properly
// closed.
ChannelFuture unusedFuture = channel.closeFuture().syncUninterruptibly();
}
/** A consumer that can throw checked exceptions. */
@FunctionalInterface
interface CheckedConsumer<T> {
void accept(T t) throws Exception;
}
}
@@ -18,6 +18,8 @@ import static com.google.common.truth.Truth.assertThat;
import static google.registry.networking.handler.SslInitializerTestUtils.getKeyPair;
import static google.registry.networking.handler.SslInitializerTestUtils.setUpSslChannel;
import static google.registry.networking.handler.SslInitializerTestUtils.signKeyPair;
import static google.registry.networking.handler.SslInitializerTestUtils.verifySslExcpetion;
import static google.registry.networking.handler.SslServerInitializer.CLIENT_CERTIFICATE_PROMISE_KEY;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
@@ -35,7 +37,12 @@ import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
@@ -82,18 +89,18 @@ public class SslServerInitializerTest {
}
private ChannelHandler getServerHandler(
boolean requireClientCert, PrivateKey privateKey, X509Certificate... certificates) {
boolean requireClientCert,
boolean validateClientCert,
PrivateKey privateKey,
X509Certificate... certificates) {
return new SslServerInitializer<LocalChannel>(
requireClientCert,
validateClientCert,
sslProvider,
Suppliers.ofInstance(privateKey),
Suppliers.ofInstance(ImmutableList.copyOf(certificates)));
}
private ChannelHandler getServerHandler(PrivateKey privateKey, X509Certificate... certificates) {
return getServerHandler(true, privateKey, certificates);
}
private ChannelHandler getClientHandler(
X509Certificate trustedCertificate, PrivateKey privateKey, X509Certificate certificate) {
return new ChannelInitializer<LocalChannel>() {
@@ -124,6 +131,7 @@ public class SslServerInitializerTest {
SslServerInitializer<EmbeddedChannel> sslServerInitializer =
new SslServerInitializer<>(
true,
false,
sslProvider,
Suppliers.ofInstance(ssc.key()),
Suppliers.ofInstance(ImmutableList.of(ssc.cert())));
@@ -142,12 +150,13 @@ public class SslServerInitializerTest {
SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
LocalAddress localAddress = new LocalAddress("TRUST_ANY_CLIENT_CERT_" + sslProvider);
nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
nettyRule.setUpServer(
localAddress, getServerHandler(true, false, serverSsc.key(), serverSsc.cert()));
SelfSignedCertificate clientSsc = new SelfSignedCertificate();
nettyRule.setUpClient(
localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverSsc.cert());
SSLSession sslSession = setUpSslChannel(nettyRule.getClientChannel(), serverSsc.cert());
nettyRule.assertThatMessagesWork();
// Verify that the SSL session gets the client cert. Note that this SslSession is for the client
@@ -157,15 +166,58 @@ public class SslServerInitializerTest {
assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
}
@Test
public void testFailure_clientCertExpired() throws Exception {
SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
LocalAddress localAddress = new LocalAddress("CLIENT_CERT_EXPIRED_" + sslProvider);
nettyRule.setUpServer(
localAddress, getServerHandler(true, true, serverSsc.key(), serverSsc.cert()));
SelfSignedCertificate clientSsc =
new SelfSignedCertificate(
"CLIENT",
Date.from(Instant.now().minus(Duration.ofDays(2))),
Date.from(Instant.now().minus(Duration.ofDays(1))));
nettyRule.setUpClient(
localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
verifySslExcpetion(
nettyRule.getServerChannel(),
channel -> channel.attr(CLIENT_CERTIFICATE_PROMISE_KEY).get().get(),
CertificateExpiredException.class);
}
@Test
public void testFailure_clientCertNotYetValid() throws Exception {
SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
LocalAddress localAddress = new LocalAddress("CLIENT_CERT_EXPIRED_" + sslProvider);
nettyRule.setUpServer(
localAddress, getServerHandler(true, true, serverSsc.key(), serverSsc.cert()));
SelfSignedCertificate clientSsc =
new SelfSignedCertificate(
"CLIENT",
Date.from(Instant.now().plus(Duration.ofDays(1))),
Date.from(Instant.now().plus(Duration.ofDays(2))));
nettyRule.setUpClient(
localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
verifySslExcpetion(
nettyRule.getServerChannel(),
channel -> channel.attr(CLIENT_CERTIFICATE_PROMISE_KEY).get().get(),
CertificateNotYetValidException.class);
}
@Test
public void testSuccess_doesNotRequireClientCert() throws Exception {
SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
LocalAddress localAddress = new LocalAddress("DOES_NOT_REQUIRE_CLIENT_CERT_" + sslProvider);
nettyRule.setUpServer(localAddress, getServerHandler(false, serverSsc.key(), serverSsc.cert()));
nettyRule.setUpServer(
localAddress, getServerHandler(false, false, serverSsc.key(), serverSsc.cert()));
nettyRule.setUpClient(localAddress, getClientHandler(serverSsc.cert(), null, null));
SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverSsc.cert());
SSLSession sslSession = setUpSslChannel(nettyRule.getClientChannel(), serverSsc.cert());
nettyRule.assertThatMessagesWork();
// Verify that the SSL session does not contain any client cert. Note that this SslSession is
@@ -186,6 +238,8 @@ public class SslServerInitializerTest {
nettyRule.setUpServer(
localAddress,
getServerHandler(
true,
false,
keyPair.getPrivate(),
// Serving both the server cert, and the CA cert
serverCert,
@@ -197,7 +251,7 @@ public class SslServerInitializerTest {
// Client trusts the CA cert
caSsc.cert(), clientSsc.key(), clientSsc.cert()));
SSLSession sslSession = setUpSslChannel(nettyRule.getChannel(), serverCert, caSsc.cert());
SSLSession sslSession = setUpSslChannel(nettyRule.getClientChannel(), serverCert, caSsc.cert());
nettyRule.assertThatMessagesWork();
assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
@@ -212,7 +266,8 @@ public class SslServerInitializerTest {
SelfSignedCertificate serverSsc = new SelfSignedCertificate(SSL_HOST);
LocalAddress localAddress = new LocalAddress("REQUIRE_CLIENT_CERT_" + sslProvider);
nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
nettyRule.setUpServer(
localAddress, getServerHandler(true, false, serverSsc.key(), serverSsc.cert()));
nettyRule.setUpClient(
localAddress,
getClientHandler(
@@ -225,7 +280,7 @@ public class SslServerInitializerTest {
// should throw exceptions.
nettyRule.assertThatServerRootCause().isInstanceOf(SSLHandshakeException.class);
nettyRule.assertThatClientRootCause().isInstanceOf(SSLException.class);
assertThat(nettyRule.getChannel().isActive()).isFalse();
assertThat(nettyRule.getClientChannel().isActive()).isFalse();
}
@Test
@@ -233,7 +288,8 @@ public class SslServerInitializerTest {
SelfSignedCertificate serverSsc = new SelfSignedCertificate("wrong.com");
LocalAddress localAddress = new LocalAddress("WRONG_HOSTNAME_" + sslProvider);
nettyRule.setUpServer(localAddress, getServerHandler(serverSsc.key(), serverSsc.cert()));
nettyRule.setUpServer(
localAddress, getServerHandler(true, false, serverSsc.key(), serverSsc.cert()));
SelfSignedCertificate clientSsc = new SelfSignedCertificate();
nettyRule.setUpClient(
localAddress, getClientHandler(serverSsc.cert(), clientSsc.key(), clientSsc.cert()));
@@ -243,6 +299,6 @@ public class SslServerInitializerTest {
nettyRule.assertThatClientRootCause().isInstanceOf(CertificateException.class);
nettyRule.assertThatClientRootCause().hasMessageThat().contains(SSL_HOST);
nettyRule.assertThatServerRootCause().isInstanceOf(SSLException.class);
assertThat(nettyRule.getChannel().isActive()).isFalse();
assertThat(nettyRule.getClientChannel().isActive()).isFalse();
}
}
@@ -162,7 +162,8 @@ public final class EppProtocolModule {
SslProvider sslProvider,
Supplier<PrivateKey> privateKeySupplier,
Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
return new SslServerInitializer<>(true, sslProvider, privateKeySupplier, certificatesSupplier);
return new SslServerInitializer<>(
true, false, sslProvider, privateKeySupplier, certificatesSupplier);
}
@Provides
@@ -134,6 +134,7 @@ public final class WebWhoisProtocolsModule {
SslProvider sslProvider,
Supplier<PrivateKey> privateKeySupplier,
Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
return new SslServerInitializer<>(false, sslProvider, privateKeySupplier, certificatesSupplier);
return new SslServerInitializer<>(
false, false, sslProvider, privateKeySupplier, certificatesSupplier);
}
}
+4 -6
View File
@@ -65,8 +65,8 @@ steps:
# Build and package the deployment files for production.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
args: ['release/build_nomulus_for_env.sh', 'production', 'output']
# Tentatively build and publish Cloud SQL schema jar here, before schema release
# process is finalized.
# Tentatively build Cloud SQL schema jar here, before schema release process
# is finalized.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
entrypoint: /bin/bash
args:
@@ -74,11 +74,9 @@ steps:
- |
set -e
./gradlew \
:db:publish \
:db:schemaJar \
-PmavenUrl=https://storage.googleapis.com/domain-registry-maven-repository/maven \
-PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins \
-Pschema_publish_repo=gcs://domain-registry-maven-repository/nomulus \
-Pschema_version=${TAG_NAME}
-PpluginsUrl=https://storage.googleapis.com/domain-registry-maven-repository/plugins
cp db/build/libs/schema.jar output/
# The tarballs and jars to upload to GCS.
artifacts: