From 01ecba51b00531b2ad72d9a3fbe5d5cd9312dabc Mon Sep 17 00:00:00 2001 From: Guillaume Le Floch Date: Thu, 28 May 2020 14:34:15 +0200 Subject: [PATCH] Add global quarkus.tls.trust-all configuration property --- .../java/io/quarkus/runtime/TlsConfig.java | 19 +++++++++++++ .../runtime/KubernetesClientBuildConfig.java | 4 ++- .../io/quarkus/mailer/runtime/MailConfig.java | 4 ++- .../io/quarkus/oidc/OidcTenantConfig.java | 27 ++++--------------- .../io/quarkus/oidc/runtime/OidcRecorder.java | 3 +-- .../runtime/client/OkHttpClientFactory.java | 2 +- .../vault/runtime/config/VaultTlsConfig.java | 5 ++-- .../runtime/config/EventBusConfiguration.java | 4 ++- .../src/main/resources/application.properties | 2 +- .../application-vault-multi-path.properties | 3 ++- .../application-vault-totp.properties | 3 ++- ...cation-vault-userpass-kvv2-wrap.properties | 1 - 12 files changed, 43 insertions(+), 34 deletions(-) create mode 100644 core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java diff --git a/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java b/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java new file mode 100644 index 00000000000000..967fd6cb4c14b0 --- /dev/null +++ b/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java @@ -0,0 +1,19 @@ +package io.quarkus.runtime; + +import io.quarkus.runtime.annotations.ConfigItem; +import io.quarkus.runtime.annotations.ConfigPhase; +import io.quarkus.runtime.annotations.ConfigRoot; + +/** + * Configuration class allowing to globally set TLS properties. + */ +@ConfigRoot(phase = ConfigPhase.RUN_TIME) +public class TlsConfig { + + /** + * Enable trusting all certificates. Disable by default. + */ + @ConfigItem(defaultValue = "false") + public boolean trustAll; + +} diff --git a/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java b/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java index a5512d5d1f28c6..9669f21fe0d00b 100644 --- a/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java +++ b/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java @@ -12,8 +12,10 @@ public class KubernetesClientBuildConfig { /** * Whether or not the client should trust a self signed certificate if so presented by the API server + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all:unset}") public boolean trustCerts; /** diff --git a/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java b/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java index 6a12c598d04d3a..474f7c7dbcb62f 100644 --- a/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java +++ b/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java @@ -66,8 +66,10 @@ public class MailConfig { /** * Set whether to trust all certificates on ssl connect the option is also * applied to {@code STARTTLS} operation. {@code false} by default. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all:false}") public boolean trustAll; /** diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index d6a3db400063ca..d72813629aee9d 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -120,31 +120,14 @@ public class OidcTenantConfig { @ConfigGroup public static class Tls { - public enum Verification { - /** - * Certificates are validated and hostname verification is enabled. This is the default value. - */ - REQUIRED, - /** - * All certificated are trusted and hostname verification is disabled. - */ - NONE - } /** - * Certificate validation and hostname verification, which can be one of the following values from enum - * {@link Verification}. Default is required. + * Enable or disable certificate validation and hostname verification. Enable by default. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem(defaultValue = "REQUIRED") - public Verification verification; - - public Verification getVerification() { - return verification; - } - - public void setVerification(Verification verification) { - this.verification = verification; - } + @ConfigItem(defaultValue = "${quarkus.tls.trust-all:false}") + public boolean verification; } diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java index d3ec881c8f5138..aea2fcc4d866d4 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java @@ -15,7 +15,6 @@ import io.quarkus.oidc.OidcTenantConfig.ApplicationType; import io.quarkus.oidc.OidcTenantConfig.Credentials; import io.quarkus.oidc.OidcTenantConfig.Credentials.Secret; -import io.quarkus.oidc.OidcTenantConfig.Tls.Verification; import io.quarkus.runtime.annotations.Recorder; import io.quarkus.runtime.configuration.ConfigurationException; import io.vertx.core.AsyncResult; @@ -141,7 +140,7 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi options.setProxyOptions(proxyOpt.get()); } - if (oidcConfig.tls.verification == Verification.NONE) { + if (oidcConfig.tls.verification) { options.setTrustAll(true); options.setVerifyHost(false); } diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java index 1f31b075d05dd3..d686ce9dcf8132 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java @@ -3,7 +3,7 @@ import static io.quarkus.vault.runtime.client.CertificateHelper.createSslContext; import static io.quarkus.vault.runtime.client.CertificateHelper.createTrustManagers; import static io.quarkus.vault.runtime.config.VaultAuthenticationType.KUBERNETES; -import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.KUBERNETES_CACERT; +import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.*; import java.io.IOException; import java.security.GeneralSecurityException; diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java index ae253f46d85a87..888da13a5e5f6a 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java @@ -1,6 +1,5 @@ package io.quarkus.vault.runtime.config; -import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY; import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_USE_KUBERNETES_CACERT; import java.util.Optional; @@ -17,8 +16,10 @@ public class VaultTlsConfig { * If true this will allow TLS communications with Vault, without checking the validity of the * certificate presented by Vault. This is discouraged in production because it allows man in the middle * type of attacks. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem(defaultValue = DEFAULT_TLS_SKIP_VERIFY) + @ConfigItem(defaultValue = "${quarkus.tls.trust-all}") public boolean skipVerify; /** diff --git a/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java b/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java index fa759505f1e4b4..b05b0cabaf88a7 100644 --- a/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java +++ b/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java @@ -138,8 +138,10 @@ public class EventBusConfiguration { /** * Enables or disables the trust all parameter. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all:unset}") public boolean trustAll; } diff --git a/integration-tests/oidc/src/main/resources/application.properties b/integration-tests/oidc/src/main/resources/application.properties index b17acd572094b8..57a88570a21418 100644 --- a/integration-tests/oidc/src/main/resources/application.properties +++ b/integration-tests/oidc/src/main/resources/application.properties @@ -3,4 +3,4 @@ quarkus.oidc.auth-server-url=${keycloak.ssl.url}/realms/quarkus quarkus.oidc.client-id=quarkus-app quarkus.oidc.token.principal-claim=email quarkus.http.cors=true -quarkus.oidc.tls.verification=none +quarkus.tls.trust-all=true diff --git a/integration-tests/vault/src/test/resources/application-vault-multi-path.properties b/integration-tests/vault/src/test/resources/application-vault-multi-path.properties index 8a2452d1fc34f2..8b8f3f4cab7282 100644 --- a/integration-tests/vault/src/test/resources/application-vault-multi-path.properties +++ b/integration-tests/vault/src/test/resources/application-vault-multi-path.properties @@ -4,7 +4,8 @@ quarkus.vault.authentication.userpass.password=sinclair quarkus.vault.secret-config-kv-path=multi/default1,multi/default2 quarkus.vault.secret-config-kv-path.singer=multi/singer1,multi/singer2 -quarkus.vault.tls.skip-verify=true +#quarkus.vault.tls.skip-verify=true +quarkus.tls.trust-all=true # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default quarkus.vault.read-timeout=5S diff --git a/integration-tests/vault/src/test/resources/application-vault-totp.properties b/integration-tests/vault/src/test/resources/application-vault-totp.properties index cb5c9c4037cccc..2530a624b9e14e 100644 --- a/integration-tests/vault/src/test/resources/application-vault-totp.properties +++ b/integration-tests/vault/src/test/resources/application-vault-totp.properties @@ -2,7 +2,8 @@ quarkus.vault.url=https://localhost:8200 quarkus.vault.authentication.userpass.username=bob quarkus.vault.authentication.userpass.password=sinclair -quarkus.vault.tls.skip-verify=true +#quarkus.vault.tls.skip-verify=true +quarkus.tls.trust-all=true # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default quarkus.vault.read-timeout=5S diff --git a/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties b/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties index 99d5b2d0881c46..59ea870ceaf790 100644 --- a/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties +++ b/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties @@ -9,7 +9,6 @@ quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt quarkus.vault.log-confidentiality-level=low quarkus.vault.renew-grace-period=10 - quarkus.log.category."io.quarkus.vault".level=DEBUG # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default