Skip to content

Commit

Permalink
Add global quarkus.tls.trust-all configuration property
Browse files Browse the repository at this point in the history
  • Loading branch information
glefloch committed Nov 10, 2020
1 parent 3a87dfd commit 70e460e
Show file tree
Hide file tree
Showing 26 changed files with 204 additions and 67 deletions.
19 changes: 19 additions & 0 deletions core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
package io.quarkus.runtime;

import io.quarkus.runtime.annotations.ConfigItem;
import io.quarkus.runtime.annotations.ConfigPhase;
import io.quarkus.runtime.annotations.ConfigRoot;

/**
* Configuration class allowing to globally set TLS properties.
*/
@ConfigRoot(phase = ConfigPhase.BUILD_AND_RUN_TIME_FIXED)
public class TlsConfig {

/**
* Enable trusting all certificates. Disable by default.
*/
@ConfigItem(defaultValue = "false")
public boolean trustAll;

}
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,14 @@
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.kubernetes.client.runtime.KubernetesClientBuildConfig;
import io.quarkus.kubernetes.client.spi.KubernetesClientBuildItem;
import io.quarkus.runtime.TlsConfig;

public class KubernetesClientBuildStep {

private KubernetesClientBuildConfig buildConfig;

@BuildStep
public KubernetesClientBuildItem process() {
return new KubernetesClientBuildItem(createClient(buildConfig));
public KubernetesClientBuildItem process(TlsConfig tlsConfig) {
return new KubernetesClientBuildItem(createClient(buildConfig, tlsConfig));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import io.fabric8.kubernetes.client.DefaultKubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.quarkus.arc.DefaultBean;
import io.quarkus.runtime.TlsConfig;

@Singleton
public class KubernetesClientProducer {
Expand All @@ -17,8 +18,8 @@ public class KubernetesClientProducer {
@DefaultBean
@Singleton
@Produces
public Config config(KubernetesClientBuildConfig buildConfig) {
return KubernetesClientUtils.createConfig(buildConfig);
public Config config(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
return KubernetesClientUtils.createConfig(buildConfig, tlsConfig);
}

@DefaultBean
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,16 @@
import io.fabric8.kubernetes.client.ConfigBuilder;
import io.fabric8.kubernetes.client.DefaultKubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.quarkus.runtime.TlsConfig;

public class KubernetesClientUtils {

private static final String PREFIX = "quarkus.kubernetes-client.";

public static Config createConfig(KubernetesClientBuildConfig buildConfig) {
public static Config createConfig(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
Config base = Config.autoConfigure(null);
return new ConfigBuilder()
.withTrustCerts(buildConfig.trustCerts)
.withTrustCerts(buildConfig.trustCerts || tlsConfig.trustAll)
.withWatchReconnectInterval((int) buildConfig.watchReconnectInterval.toMillis())
.withWatchReconnectLimit(buildConfig.watchReconnectLimit)
.withConnectionTimeout((int) buildConfig.connectionTimeout.toMillis())
Expand All @@ -43,8 +44,8 @@ public static Config createConfig(KubernetesClientBuildConfig buildConfig) {
.build();
}

public static KubernetesClient createClient(KubernetesClientBuildConfig buildConfig) {
return new DefaultKubernetesClient(createConfig(buildConfig));
public static KubernetesClient createClient(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
return new DefaultKubernetesClient(createConfig(buildConfig, tlsConfig));
}

public static KubernetesClient createClient() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,18 @@
import io.quarkus.kubernetes.client.runtime.KubernetesConfigSourceConfig;
import io.quarkus.kubernetes.spi.KubernetesRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesRoleBuildItem;
import io.quarkus.runtime.TlsConfig;

public class KubernetesConfigProcessor {

@BuildStep
@Record(ExecutionTime.RUNTIME_INIT)
public RunTimeConfigurationSourceValueBuildItem configure(KubernetesConfigRecorder recorder,
KubernetesConfigSourceConfig config, KubernetesConfigBuildTimeConfig buildTimeConfig,
KubernetesClientBuildConfig clientConfig) {
KubernetesClientBuildConfig clientConfig,
TlsConfig tlsConfig) {
return new RunTimeConfigurationSourceValueBuildItem(
recorder.configSources(config, buildTimeConfig, clientConfig));
recorder.configSources(config, buildTimeConfig, clientConfig, tlsConfig));
}

@BuildStep
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import org.jboss.logging.Logger;

import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.AbstractRawDefaultConfigSource;

Expand All @@ -21,15 +22,16 @@ public class KubernetesConfigRecorder {

public RuntimeValue<ConfigSourceProvider> configSources(KubernetesConfigSourceConfig kubernetesConfigSourceConfig,
KubernetesConfigBuildTimeConfig buildTimeConfig,
KubernetesClientBuildConfig clientConfig) {
KubernetesClientBuildConfig clientConfig,
TlsConfig tlsConfig) {
if ((!kubernetesConfigSourceConfig.enabled && !buildTimeConfig.secretsEnabled) || isExplicitlyDisabled()) {
log.debug(
"No attempt will be made to obtain configuration from the Kubernetes API server because the functionality has been disabled via configuration");
return emptyRuntimeValue();
}

return new RuntimeValue<>(new KubernetesConfigSourceProvider(kubernetesConfigSourceConfig, buildTimeConfig,
KubernetesClientUtils.createClient(clientConfig)));
KubernetesClientUtils.createClient(clientConfig, tlsConfig)));
}

// We don't want to enable the reading of anything if 'quarkus.kubernetes-config.enabled' is EXPLICITLY set to false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import org.jboss.logging.Logger;

import io.quarkus.runtime.TlsConfig;
import io.vertx.core.Vertx;
import io.vertx.ext.mail.LoginOption;
import io.vertx.ext.mail.MailClient;
Expand All @@ -23,8 +24,8 @@ public class MailClientProducer {
private final io.vertx.mutiny.ext.mail.MailClient mutinyClient;
private final MailClient client;

public MailClientProducer(Vertx vertx, MailConfig config) {
this.client = mailClient(vertx, config);
public MailClientProducer(Vertx vertx, MailConfig config, TlsConfig tlsConfig) {
this.client = mailClient(vertx, config, tlsConfig);
this.mutinyClient = io.vertx.mutiny.ext.mail.MailClient.newInstance(this.client);
}

Expand Down Expand Up @@ -65,12 +66,12 @@ public void stop() {
client.close();
}

private MailClient mailClient(Vertx vertx, MailConfig config) {
io.vertx.ext.mail.MailConfig cfg = toVertxMailConfig(config);
private MailClient mailClient(Vertx vertx, MailConfig config, TlsConfig tlsConfig) {
io.vertx.ext.mail.MailConfig cfg = toVertxMailConfig(config, tlsConfig);
return MailClient.createShared(vertx, cfg);
}

private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config) {
private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config, TlsConfig tlsConfig) {
io.vertx.ext.mail.MailConfig cfg = new io.vertx.ext.mail.MailConfig();
if (config.authMethods.isPresent()) {
cfg.setAuthMethods(config.authMethods.get());
Expand Down Expand Up @@ -106,7 +107,7 @@ private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config) {
if (config.startTLS.isPresent()) {
cfg.setStarttls(StartTLSOptions.valueOf(config.startTLS.get().toUpperCase()));
}
cfg.setTrustAll(config.trustAll);
cfg.setTrustAll(config.trustAll || tlsConfig.trustAll);
return cfg;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public class MutinyMailerImpl implements ReactiveMailer {
public Void apply(List<?> results) {
return null;
}
};;
};

@Override
public Uni<Void> send(Mail... mails) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import io.quarkus.oidc.runtime.OidcRecorder;
import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
Expand Down Expand Up @@ -92,9 +93,10 @@ EnableAllSecurityServicesBuildItem security() {
public SyntheticBeanBuildItem setup(
OidcConfig config,
OidcRecorder recorder,
CoreVertxBuildItem vertxBuildItem) {
CoreVertxBuildItem vertxBuildItem,
TlsConfig tlsConfig) {
return SyntheticBeanBuildItem.configure(TenantConfigBean.class).unremovable().types(TenantConfigBean.class)
.supplier(recorder.setup(config, vertxBuildItem.getVertx()))
.supplier(recorder.setup(config, vertxBuildItem.getVertx(), tlsConfig))
.scope(Singleton.class)
.setRuntimeInit()
.done();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import io.quarkus.oidc.OidcTenantConfig.Tls.Verification;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.runtime.ExecutorRecorder;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.smallrye.mutiny.Uni;
Expand All @@ -44,7 +45,7 @@ public class OidcRecorder {

private static final Map<String, TenantConfigContext> dynamicTenantsConfig = new ConcurrentHashMap<>();

public Supplier<TenantConfigBean> setup(OidcConfig config, Supplier<Vertx> vertx) {
public Supplier<TenantConfigBean> setup(OidcConfig config, Supplier<Vertx> vertx, TlsConfig tlsConfig) {
final Vertx vertxValue = vertx.get();
Map<String, TenantConfigContext> staticTenantsConfig = new HashMap<>();

Expand All @@ -57,10 +58,12 @@ public Supplier<TenantConfigBean> setup(OidcConfig config, Supplier<Vertx> vertx
throw new OIDCException("Configuration has 2 different tenant-id values: '"
+ tenant.getKey() + "' and '" + tenant.getValue().getTenantId().get() + "'");
}
staticTenantsConfig.put(tenant.getKey(), createTenantContext(vertxValue, tenant.getValue(), tenant.getKey()));
staticTenantsConfig.put(tenant.getKey(),
createTenantContext(vertxValue, tenant.getValue(), tlsConfig, tenant.getKey()));
}

TenantConfigContext tenantContext = createTenantContext(vertxValue, config.defaultTenant, "Default");
TenantConfigContext tenantContext = createTenantContext(vertxValue, config.defaultTenant, tlsConfig, "Default");

return new Supplier<TenantConfigBean>() {
@Override
public TenantConfigBean get() {
Expand All @@ -70,7 +73,7 @@ public TenantConfigBean get() {
public Uni<TenantConfigContext> apply(OidcTenantConfig config) {
if (BlockingOperationControl.isBlockingAllowed()) {
try {
return Uni.createFrom().item(createDynamicTenantContext(vertxValue, config,
return Uni.createFrom().item(createDynamicTenantContext(vertxValue, config, tlsConfig,
config.getTenantId().get()));
} catch (Throwable t) {
return Uni.createFrom().failure(t);
Expand All @@ -83,8 +86,9 @@ public void accept(UniEmitter<? super TenantConfigContext> uniEmitter) {
@Override
public void run() {
try {
uniEmitter.complete(createDynamicTenantContext(vertxValue, config,
config.getTenantId().get()));
uniEmitter.complete(
createDynamicTenantContext(vertxValue, config, tlsConfig,
config.getTenantId().get()));
} catch (Throwable t) {
uniEmitter.fail(t);
}
Expand All @@ -99,14 +103,16 @@ public void run() {
};
}

private TenantConfigContext createDynamicTenantContext(Vertx vertx, OidcTenantConfig oidcConfig, String tenantId) {
private TenantConfigContext createDynamicTenantContext(Vertx vertx, OidcTenantConfig oidcConfig, TlsConfig tlsConfig,
String tenantId) {
if (!dynamicTenantsConfig.containsKey(tenantId)) {
dynamicTenantsConfig.putIfAbsent(tenantId, createTenantContext(vertx, oidcConfig, tenantId));
dynamicTenantsConfig.putIfAbsent(tenantId, createTenantContext(vertx, oidcConfig, tlsConfig, tenantId));
}
return dynamicTenantsConfig.get(tenantId);
}

private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oidcConfig, String tenantId) {
private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oidcConfig, TlsConfig tlsConfig,
String tenantId) {
if (!oidcConfig.tenantId.isPresent()) {
oidcConfig.tenantId = Optional.of(tenantId);
}
Expand Down Expand Up @@ -234,7 +240,7 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi
options.setProxyOptions(proxyOpt.get());
}

if (oidcConfig.tls.verification == Verification.NONE) {
if (oidcConfig.tls.verification == Verification.NONE && tlsConfig.trustAll) {
options.setTrustAll(true);
options.setVerifyHost(false);
}
Expand Down
Loading

0 comments on commit 70e460e

Please sign in to comment.