This is an automated email from the ASF dual-hosted git repository. gortiz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push: new 697f58ca01 correctly install default ssl socket factory when no key or trust store (#13589) 697f58ca01 is described below commit 697f58ca01af30f20b9af75c1f0a0cf5602dd518 Author: Haitao Zhang <hai...@startree.ai> AuthorDate: Thu Jul 18 01:08:14 2024 -0700 correctly install default ssl socket factory when no key or trust store (#13589) --- .../apache/pinot/common/utils/tls/TlsUtils.java | 33 +- ...lsUtilsTest.java => RenewableTlsUtilsTest.java} | 4 +- .../pinot/common/utils/tls/TlsUtilsTest.java | 342 +-------------------- 3 files changed, 26 insertions(+), 353 deletions(-) diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java index 51c04523ca..81d862d83b 100644 --- a/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java +++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/tls/TlsUtils.java @@ -29,6 +29,7 @@ import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; +import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.SecureRandom; import java.util.concurrent.atomic.AtomicReference; @@ -60,6 +61,7 @@ public final class TlsUtils { private static final String TRUSTSTORE_PATH = "truststore.path"; private static final String TRUSTSTORE_PASSWORD = "truststore.password"; private static final String SSL_PROVIDER = "ssl.provider"; + private static final String SSL_CONTEXT_PROTOCOL = "SSL"; private static final String FILE_SCHEME = "file"; private static final String FILE_SCHEME_PREFIX = FILE_SCHEME + "://"; @@ -227,19 +229,28 @@ public final class TlsUtils { String trustStoreType, String trustStorePath, String trustStorePassword) { try { SecureRandom secureRandom = new SecureRandom(); - SSLFactory sslFactory = RenewableTlsUtils.createSSLFactory(keyStoreType, keyStorePath, keyStorePassword, - trustStoreType, trustStorePath, trustStorePassword, - "SSL", secureRandom, true, false); - if (isKeyOrTrustStorePathNullOrHasFileScheme(keyStorePath) - && isKeyOrTrustStorePathNullOrHasFileScheme(trustStorePath)) { - RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, keyStoreType, keyStorePath, - keyStorePassword, trustStoreType, trustStorePath, trustStorePassword, "SSL", secureRandom, - PinotInsecureMode::isPinotInInsecureMode); + SSLContext sc; + if (keyStorePath == null && trustStorePath == null) { + // When neither keyStorePath nor trustStorePath is provided, a SSLFactory cannot be created. create SSLContext + // directly and use the default key manager and trust manager. + sc = SSLContext.getInstance(SSL_CONTEXT_PROTOCOL); + sc.init(null, null, secureRandom); + } else { + SSLFactory sslFactory = + RenewableTlsUtils.createSSLFactory(keyStoreType, keyStorePath, keyStorePassword, trustStoreType, + trustStorePath, trustStorePassword, SSL_CONTEXT_PROTOCOL, secureRandom, true, false); + if (isKeyOrTrustStorePathNullOrHasFileScheme(keyStorePath) && isKeyOrTrustStorePathNullOrHasFileScheme( + trustStorePath)) { + RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, keyStoreType, keyStorePath, + keyStorePassword, trustStoreType, trustStorePath, trustStorePassword, SSL_CONTEXT_PROTOCOL, secureRandom, + PinotInsecureMode::isPinotInInsecureMode); + } + sc = sslFactory.getSslContext(); } // HttpsURLConnection - HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory()); - setSslContext(sslFactory.getSslContext()); - } catch (GenericSSLContextException e) { + HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + setSslContext(sc); + } catch (GenericSSLContextException | GeneralSecurityException e) { throw new IllegalStateException("Could not initialize SSL support", e); } } diff --git a/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java b/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/RenewableTlsUtilsTest.java similarity index 99% copy from pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java copy to pinot-common/src/test/java/org/apache/pinot/common/utils/tls/RenewableTlsUtilsTest.java index f66f59c3db..6e65c2a44b 100644 --- a/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java +++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/RenewableTlsUtilsTest.java @@ -70,7 +70,7 @@ import static org.testng.Assert.*; * 3. keytool -import -alias mykey -file certificate.cer -keystore truststore.p12 -storetype PKCS12 -storepass changeit * -noprompt */ -public class TlsUtilsTest { +public class RenewableTlsUtilsTest { private static final String TLS_RESOURCE_FOLDER = "tls/"; private static final String TLS_KEYSTORE_FILE = "keystore.p12"; private static final String TLS_TRUSTSTORE_FILE = "truststore.p12"; @@ -100,7 +100,7 @@ public class TlsUtilsTest { for (Map.Entry<String, String> entry : srcAndDestFileMap.entrySet()) { // Use the class loader to get the InputStream of the resource file try (InputStream resourceStream - = TlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER + entry.getKey())) { + = RenewableTlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER + entry.getKey())) { if (resourceStream == null) { throw new IOException("Resource file not found: " + entry.getKey()); } diff --git a/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java b/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java index f66f59c3db..4df0fb2807 100644 --- a/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java +++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/tls/TlsUtilsTest.java @@ -18,350 +18,12 @@ */ package org.apache.pinot.common.utils.tls; -import com.google.common.collect.ImmutableMap; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.net.URISyntaxException; -import java.nio.file.FileSystems; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.nio.file.StandardCopyOption; -import java.nio.file.WatchKey; -import java.nio.file.WatchService; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.SecureRandom; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.util.HashMap; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509ExtendedKeyManager; -import javax.net.ssl.X509ExtendedTrustManager; -import javax.net.ssl.X509KeyManager; -import javax.net.ssl.X509TrustManager; -import nl.altindag.ssl.SSLFactory; -import nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager; -import nl.altindag.ssl.trustmanager.UnsafeX509ExtendedTrustManager; -import org.apache.commons.io.FileUtils; -import org.apache.pinot.common.config.TlsConfig; -import org.testng.annotations.AfterMethod; -import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; -import static org.testng.Assert.*; - -/** - * Command used to generated the keystore and truststore files: - * 1. keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore.p12 -storetype PKCS12 -storepass changeit - * -keypass changeit -validity 18250 - * 2. keytool -export -alias mykey -file certificate.cer -keystore keystore.p12 -storetype PKCS12 -storepass changeit - * 3. keytool -import -alias mykey -file certificate.cer -keystore truststore.p12 -storetype PKCS12 -storepass changeit - * -noprompt - */ public class TlsUtilsTest { - private static final String TLS_RESOURCE_FOLDER = "tls/"; - private static final String TLS_KEYSTORE_FILE = "keystore.p12"; - private static final String TLS_TRUSTSTORE_FILE = "truststore.p12"; - private static final String TLS_KEYSTORE_UPDATED_FILE = "keystore-updated.p12"; - private static final String TLS_TRUSTSTORE_UPDATED_FILE = "truststore-updated.p12"; - private static final String PASSWORD = "changeit"; - private static final String KEYSTORE_TYPE = "PKCS12"; - private static final String TRUSTSTORE_TYPE = "PKCS12"; - private static final String DEFAULT_TEST_TLS_DIR - = new File(FileUtils.getTempDirectoryPath(), "test-tls-dir" + System.currentTimeMillis()).getAbsolutePath(); - private static final String KEY_NAME_ALIAS = "mykey"; - - private static final String TLS_KEYSTORE_FILE_PATH = DEFAULT_TEST_TLS_DIR + "/" + TLS_KEYSTORE_FILE; - private static final String TLS_TRUSTSTORE_FILE_PATH = DEFAULT_TEST_TLS_DIR + "/" + TLS_TRUSTSTORE_FILE; - - @BeforeMethod - public void setUp() - throws IOException, URISyntaxException { - copyResourceFilesToTempFolder( - ImmutableMap.of(TLS_KEYSTORE_FILE, TLS_KEYSTORE_FILE, TLS_TRUSTSTORE_FILE, TLS_TRUSTSTORE_FILE)); - } - - private static void copyResourceFilesToTempFolder(Map<String, String> srcAndDestFileMap) - throws URISyntaxException, IOException { - // Create the destination folder if it doesn't exist - Files.createDirectories(Paths.get(DEFAULT_TEST_TLS_DIR)); - for (Map.Entry<String, String> entry : srcAndDestFileMap.entrySet()) { - // Use the class loader to get the InputStream of the resource file - try (InputStream resourceStream - = TlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER + entry.getKey())) { - if (resourceStream == null) { - throw new IOException("Resource file not found: " + entry.getKey()); - } - // Specify the destination path - Path destinationPath = Paths.get(DEFAULT_TEST_TLS_DIR, entry.getValue()); - // Use Files.copy to copy the file to the destination folder - Files.copy(resourceStream, destinationPath, StandardCopyOption.REPLACE_EXISTING); - } catch (IOException e) { - e.printStackTrace(); // Handle the exception as needed - } - } - } - - @AfterMethod - public void tearDown() { - FileUtils.deleteQuietly(new File(DEFAULT_TEST_TLS_DIR)); - } - - @Test - public void swappableSSLFactoryHasSameAsStaticOnes() - throws NoSuchAlgorithmException, KeyManagementException, IOException, URISyntaxException { - SecureRandom secureRandom = new SecureRandom(); - KeyManagerFactory keyManagerFactory = - TlsUtils.createKeyManagerFactory(TLS_KEYSTORE_FILE_PATH, PASSWORD, KEYSTORE_TYPE); - TrustManagerFactory trustManagerFactory = - TlsUtils.createTrustManagerFactory(TLS_TRUSTSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE); - SSLContext sslContext = SSLContext.getInstance("TLS"); - sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), secureRandom); - SSLFactory sslFactory = - RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, - TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false); - KeyManagerFactory swappableKeyManagerFactory = sslFactory.getKeyManagerFactory().get(); - assertEquals(swappableKeyManagerFactory.getKeyManagers().length, keyManagerFactory.getKeyManagers().length); - assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 1); - assertSSLKeyManagersEqual(swappableKeyManagerFactory.getKeyManagers()[0], keyManagerFactory.getKeyManagers()[0]); - TrustManagerFactory swappableTrustManagerFactory = sslFactory.getTrustManagerFactory().get(); - assertEquals(swappableTrustManagerFactory.getTrustManagers().length, - trustManagerFactory.getTrustManagers().length); - assertEquals(swappableTrustManagerFactory.getTrustManagers().length, 1); - assertSSLTrustManagersEqual(swappableTrustManagerFactory.getTrustManagers()[0], - trustManagerFactory.getTrustManagers()[0]); - SSLContext swappableSSLContext = sslFactory.getSslContext(); - assertEquals(swappableSSLContext.getProtocol(), sslContext.getProtocol()); - assertEquals(swappableSSLContext.getProvider(), sslContext.getProvider()); - } - - private static void assertSSLKeyManagersEqual(KeyManager km1, KeyManager km2) { - X509KeyManager x509KeyManager1 = (X509KeyManager) km1; - X509KeyManager x509KeyManager2 = (X509KeyManager) km2; - assertEquals(x509KeyManager1.getPrivateKey(KEY_NAME_ALIAS), x509KeyManager2.getPrivateKey(KEY_NAME_ALIAS)); - - Certificate[] certs1 = x509KeyManager1.getCertificateChain(KEY_NAME_ALIAS); - Certificate[] certs2 = x509KeyManager2.getCertificateChain(KEY_NAME_ALIAS); - assertEquals(certs1.length, certs2.length); - assertEquals(certs1.length, 1); - assertEquals(certs1[0], certs2[0]); - } - - private static void assertSSLTrustManagersEqual(TrustManager tm1, TrustManager tm2) { - X509TrustManager x509TrustManager1 = (X509TrustManager) tm1; - X509TrustManager x509TrustManager2 = (X509TrustManager) tm2; - - assertEquals(x509TrustManager1.getAcceptedIssuers().length, x509TrustManager2.getAcceptedIssuers().length); - assertEquals(x509TrustManager1.getAcceptedIssuers().length, 1); - assertEquals(x509TrustManager1.getAcceptedIssuers()[0], x509TrustManager2.getAcceptedIssuers()[0]); - } - - @Test - public void reloadSslFactoryWhenFileStoreChanges() - throws IOException, URISyntaxException, InterruptedException { - SecureRandom secureRandom = new SecureRandom(); - SSLFactory sslFactory = RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, - TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false); - X509ExtendedKeyManager x509ExtendedKeyManager = sslFactory.getKeyManager().get(); - X509ExtendedTrustManager x509ExtendedTrustManager = sslFactory.getTrustManager().get(); - SSLContext sslContext = sslFactory.getSslContext(); - - PrivateKey privateKey = x509ExtendedKeyManager.getPrivateKey(KEY_NAME_ALIAS); - Certificate certForPrivateKey = x509ExtendedKeyManager.getCertificateChain(KEY_NAME_ALIAS)[0]; - X509Certificate acceptedIssuerForCert = x509ExtendedTrustManager.getAcceptedIssuers()[0]; - - // Start a new thread to reload the ssl factory when the tls files change - // Avoid early finalization by not using Executors.newSingleThreadExecutor (java <= 20, JDK-8145304) - ExecutorService executorService = Executors.newFixedThreadPool(1); - executorService.execute( - () -> { - try { - RenewableTlsUtils.reloadSslFactoryWhenFileStoreChanges(sslFactory, KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, - PASSWORD, TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, () -> false); - } catch (Exception e) { - throw new RuntimeException(e); - } - }); - updateTlsFilesAndWaitForSslFactoryToBeRenewed(); - executorService.shutdown(); - - // after tls file update, the returned values should be the same, since the wrapper is the same - X509ExtendedKeyManager udpatedX509ExtendedKeyManager = sslFactory.getKeyManager().get(); - X509ExtendedTrustManager updatedX509ExtendedTrustManager = sslFactory.getTrustManager().get(); - SSLContext updatedSslContext = sslFactory.getSslContext(); - assertEquals(x509ExtendedKeyManager, udpatedX509ExtendedKeyManager); - assertEquals(x509ExtendedTrustManager, updatedX509ExtendedTrustManager); - assertEquals(sslContext, updatedSslContext); - - // after tls file update, the underlying values should be different - assertNotEquals(privateKey, udpatedX509ExtendedKeyManager.getPrivateKey(KEY_NAME_ALIAS)); - assertNotEquals(certForPrivateKey, udpatedX509ExtendedKeyManager.getCertificateChain(KEY_NAME_ALIAS)[0]); - assertNotEquals(acceptedIssuerForCert, updatedX509ExtendedTrustManager.getAcceptedIssuers()[0]); - } - - @Test - public void enableAutoRenewalFromFileStoreForSSLFactoryThrows() { - SSLFactory swappableSslFactory = - RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE, - TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, true, false); - TlsConfig tlsConfig = new TlsConfig(); - tlsConfig.setKeyStoreType(KEYSTORE_TYPE); - tlsConfig.setKeyStorePath("ftp://" + TLS_KEYSTORE_FILE_PATH); - tlsConfig.setKeyStorePassword(PASSWORD); - tlsConfig.setTrustStoreType(TRUSTSTORE_TYPE); - tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH); - tlsConfig.setTrustStorePassword(PASSWORD); - RuntimeException e = null; - try { - RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory( - swappableSslFactory, tlsConfig, () -> false); - } catch (RuntimeException ex) { - e = ex; - } - assertNotNull(e); - assertEquals(e.getMessage(), "java.lang.IllegalArgumentException: key store path must be a local file path " - + "or null when SSL auto renew is enabled"); - - tlsConfig.setKeyStorePath(TLS_KEYSTORE_FILE_PATH); - tlsConfig.setTrustStorePath("ftp://" + TLS_TRUSTSTORE_FILE_PATH); - e = null; - try { - RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory( - swappableSslFactory, tlsConfig, () -> false); - } catch (RuntimeException ex) { - e = ex; - } - assertEquals(e.getMessage(), "java.lang.IllegalArgumentException: trust store path must be a local file path " - + "or null when SSL auto renew is enabled"); - - SSLFactory nonSwappableSslFactory = - RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE, - TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", null, false, false); - e = null; - tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH); - try { - RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory( - nonSwappableSslFactory, tlsConfig, () -> false); - } catch (RuntimeException ex) { - e = ex; - } - assertEquals(e.getMessage(), - "java.lang.IllegalArgumentException: key manager of the existing SSLFactory must be swappable"); - - tlsConfig.setKeyStorePath(null); - e = null; - try { - RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory( - nonSwappableSslFactory, tlsConfig, () -> false); - } catch (RuntimeException ex) { - e = ex; - } - assertEquals(e.getMessage(), - "java.lang.IllegalArgumentException: trust manager of the existing SSLFactory must be swappable"); - } - - @Test - public void createSslFactoryInInsecureMode() { - SecureRandom secureRandom = new SecureRandom(); - SSLFactory sslFactory = RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, - TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, false, true); - - X509ExtendedTrustManager x509ExtendedTrustManager = sslFactory.getTrustManager().get(); - assertTrue(x509ExtendedTrustManager instanceof UnsafeX509ExtendedTrustManager); - assertEquals(x509ExtendedTrustManager.getAcceptedIssuers().length, 0); - - sslFactory = RenewableTlsUtils.createSSLFactory(KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD, - TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, true); - ensurSslFactoryUseUnsafeTrustManager(sslFactory); - } - - @Test - public void createSSLFactoryAndEnableAutoRenewalWhenUsingFileStoresWithPinotSecureMode() - throws IOException, URISyntaxException, InterruptedException { - TlsConfig tlsConfig = createTlsConfig(); - SSLFactory sslFactory = - RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig, () -> false); - ensurSslFactoryUseNormalTrustManager(sslFactory); - - updateTlsFilesAndWaitForSslFactoryToBeRenewed(); - - ensurSslFactoryUseNormalTrustManager(sslFactory); - } - @Test - public void createSSLFactoryAndEnableAutoRenewalWhenUsingFileStoresWithPinotInsecureMode() - throws IOException, URISyntaxException, InterruptedException { - TlsConfig tlsConfig = createTlsConfig(); - SSLFactory sslFactory = - RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig, () -> true); - ensurSslFactoryUseUnsafeTrustManager(sslFactory); - - updateTlsFilesAndWaitForSslFactoryToBeRenewed(); - - // after tls file update, the ssl factory should still use UnsafeX509ExtendedTrustManager - ensurSslFactoryUseUnsafeTrustManager(sslFactory); - } - - private void ensurSslFactoryUseNormalTrustManager(SSLFactory sslFactory) { - X509ExtendedTrustManager x509ExtendedTrustManager = sslFactory.getTrustManager().get(); - assertTrue(x509ExtendedTrustManager instanceof HotSwappableX509ExtendedTrustManager); - HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager - = (HotSwappableX509ExtendedTrustManager) x509ExtendedTrustManager; - assertFalse(hotSwappableX509ExtendedTrustManager.getInnerTrustManager() instanceof UnsafeX509ExtendedTrustManager); - assertEquals(x509ExtendedTrustManager.getAcceptedIssuers().length, 1); - } - - private void ensurSslFactoryUseUnsafeTrustManager(SSLFactory sslFactory) { - X509ExtendedTrustManager x509ExtendedTrustManager = sslFactory.getTrustManager().get(); - assertTrue(x509ExtendedTrustManager instanceof HotSwappableX509ExtendedTrustManager); - HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager - = (HotSwappableX509ExtendedTrustManager) x509ExtendedTrustManager; - assertTrue(hotSwappableX509ExtendedTrustManager.getInnerTrustManager() instanceof UnsafeX509ExtendedTrustManager); - assertEquals(x509ExtendedTrustManager.getAcceptedIssuers().length, 0); - } - - private TlsConfig createTlsConfig() { - TlsConfig tlsConfig = new TlsConfig(); - tlsConfig.setKeyStoreType(KEYSTORE_TYPE); - tlsConfig.setKeyStorePath(TLS_KEYSTORE_FILE_PATH); - tlsConfig.setKeyStorePassword(PASSWORD); - tlsConfig.setTrustStoreType(TRUSTSTORE_TYPE); - tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH); - tlsConfig.setTrustStorePassword(PASSWORD); - tlsConfig.setInsecure(false); - return tlsConfig; - } - - private void updateTlsFilesAndWaitForSslFactoryToBeRenewed() - throws IOException, URISyntaxException, InterruptedException { - WatchService watchService = FileSystems.getDefault().newWatchService(); - Map<WatchKey, Set<Path>> watchKeyPathMap = new HashMap<>(); - RenewableTlsUtils.registerFile(watchService, watchKeyPathMap, TLS_KEYSTORE_FILE_PATH); - RenewableTlsUtils.registerFile(watchService, watchKeyPathMap, TLS_TRUSTSTORE_FILE_PATH); - - // wait for the new thread to start - Thread.sleep(100); - - // update tls files - copyResourceFilesToTempFolder( - ImmutableMap.of(TLS_KEYSTORE_UPDATED_FILE, TLS_KEYSTORE_FILE, TLS_TRUSTSTORE_UPDATED_FILE, - TLS_TRUSTSTORE_FILE)); - - // wait for the file change event to be detected - watchService.take(); - // it will take some time for the thread to be notified and reload the ssl factory - Thread.sleep(500); + public void installDefaultSSLSocketFactoryWhenNoKeyOrTrustStore() { + TlsUtils.installDefaultSSLSocketFactory(null, null, null, null, null, null); } } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org