enable insecure client TLS connections for testing webid
authorHenry Story <henry.story@bblfish.net>
Mon, 09 Apr 2012 13:33:46 +0200
branchwebid
changeset 189 fe677af72eb3
parent 188 7eab55c485c6
child 190 c3cb0e73cf86
enable insecure client TLS connections for testing
(also tried to use SubCut as dependency injector but required too many changes, and am in a rush for WWW2012)
project/build.scala
src/main/scala/GraphCache.scala
src/main/scala/ReadWriteWebMain.scala
src/main/scala/auth/WebIdClaim.scala
src/main/scala/netty/ReadWriteWebNetty.scala
--- a/project/build.scala	Thu Apr 05 15:38:42 2012 +0200
+++ b/project/build.scala	Mon Apr 09 13:33:46 2012 +0200
@@ -40,6 +40,7 @@
   val aalto_xml = "com.fasterxml" % "aalto-xml" % "0.9.7"
 //  val akka_remote = "com.typesafe.akka" % "akka-remote" % "2.0-M3"
 //  val finagle_http = "com.twitter" %% "finagle-http" % "1.9.12"
+  val subcut = "org.scala-tools.subcut" %% "subcut" % "1.0"
 }
 
 // some usefull repositories
@@ -115,6 +116,7 @@
         jena, arq, rdfa,
         grizzled,
         scalaz,
+        subcut,
         jsslutils,
         argot,
         guava,
--- a/src/main/scala/GraphCache.scala	Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/GraphCache.scala	Mon Apr 09 13:33:46 2012 +0200
@@ -32,6 +32,9 @@
 import com.google.common.cache.{LoadingCache, CacheLoader, CacheBuilder, Cache}
 import java.io.{File, FileOutputStream}
 import com.weiglewilczek.slf4s.Logging
+import javax.net.ssl.SSLContext
+import org.apache.http.conn.ssl.SSLSocketFactory
+import org.apache.http.conn.scheme.Scheme
 
 
 /**
@@ -66,7 +69,20 @@
     client.getParams.setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 3000)
     client.getParams.setParameter(CoreConnectionPNames.SO_TIMEOUT, 15000)
   }
-  
+
+  val sslClientSecure = Option(System.getProperty("rww.clientTLSsecurity")).map{
+    case "secure" => true
+    case _ => false
+  }.getOrElse(false)
+
+
+  if (!sslClientSecure) {
+    val ssl = SSLContext.getInstance("TLS");
+    val sf = new SSLSocketFactory(ssl, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+    val scheme = new Scheme("https", 443, sf);
+    http.client.getConnectionManager().getSchemeRegistry().register(scheme);
+  }
+
   def basePath = null //should be cache dir?
 
   def sanityCheck() = true  //cache dire exists? But is this needed for functioning?
--- a/src/main/scala/ReadWriteWebMain.scala	Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/ReadWriteWebMain.scala	Mon Apr 09 13:33:46 2012 +0200
@@ -1,6 +1,5 @@
 package org.w3.readwriteweb
 
-import auth.X509CertSigner._
 import auth.{X509CertSigner, RDFAuthZ, X509view}
 import org.w3.readwriteweb.util._
 
@@ -11,11 +10,8 @@
 import org.clapper.argot._
 import ArgotConverters._
 import javax.servlet.http.{HttpServletResponse, HttpServletRequest}
-import com.weiglewilczek.slf4s.Logging
-import java.lang.{Class, String}
-import java.net.InetAddress
-import java.io.{FileDescriptor, File}
-import java.security.{Permission, KeyStore}
+import java.lang.String
+import java.io.File
 
 trait ReadWriteWebArgs {
   val logger: Logger = LoggerFactory.getLogger(this.getClass)
@@ -30,14 +26,25 @@
   |PROPERTIES
   |
   | * Keystore properties that need to be set if https is started
-  |  -Djetty.ssl.keyStoreType=type : the type of the keystore, JKS by default usually
-  |  -Djetty.ssl.keyStore=path : specify path to key store (for https server certificate)
-  |  -Djetty.ssl.keyStorePassword=password : specify password for keystore store (optional)
+  |  -Dnetty.ssl.keyStoreType=type : the type of the keystore, JKS by default usually
+  |  -Dnetty.ssl.keyStore=path : specify path to key store (for https server certificate)
+  |  -Dnetty.ssl.keyStorePassword=password : specify password for keystore store (optional)
+  |  (for jetty, replace "netty" with "jetty")
+  |
+  | * application arguments:
+  |  --http  start server as plain http server
+  |  --https start server as in secured mode using https (TLS)
+  |  --language [turtle, rdfxml] save RDF in one of the given formats on disk
+  |  --clientTLS [secure, insecure] client connections abide by CA verification
+  |   * secure : if server certificate is not signed by well known CA don't accept
+  |   * insecure: if the server certificate is not signed by well known CA ignore and continue
+  |   * [todo: add more flexible server certificate verification mechanisms]
   |
   |NOTES
   |
   |  - Trust stores are not needed because we use the WebID protocol, and client certs are nearly never signed by CAs
   |  - one of --http or --https must be selected
+  |
      """.stripMargin);
 
   val parser = new ArgotParser("read-write-web",postUsage=postUsageMsg)
@@ -61,8 +68,24 @@
       }
   }
 
-    val httpPort = parser.option[Int]("http", "Port","start the http server on port")
-    val httpsPort = parser.option[Int]("https","port","start the https server on port")
+  val clientTLSsecurity = parser.option[Boolean](List("clientTLS"),"c","client TLS connection security level") {
+    (sValue, opt) =>
+      sValue match {
+        case "insecure" => {
+          //todo: work with system property as a hack for the moment, as passing around conexts is going to require
+          //      a lot of rewriting
+          System.setProperty("rww.clientTLSsecurity","insecure")
+          false
+        }
+        case _ => {
+          System.setProperty("rww.clientTLSsecurity","secure")
+          true
+        }
+      }
+  }
+
+  val httpPort = parser.option[Int]("http", "Port","start the http server on port")
+  val httpsPort = parser.option[Int]("https","port","start the https server on port")
 
   val rootDirectory = parser.parameter[File]("rootDirectory", "root directory", false) {
     (sValue, opt) => {
--- a/src/main/scala/auth/WebIdClaim.scala	Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/auth/WebIdClaim.scala	Mon Apr 09 13:33:46 2012 +0200
@@ -28,12 +28,12 @@
 import Scalaz._
 import java.security.PublicKey
 import com.hp.hpl.jena.rdf.model.Model
-import java.net.URL
 import com.hp.hpl.jena.query._
 import java.math.BigInteger
 import com.hp.hpl.jena.datatypes.xsd.XSDDatatype
+import scalaz.{Failure, Validation}
 import org.w3.readwriteweb.CacheControl
-import scalaz.{Failure, Validation}
+import java.net.URL
 
 
 /**
@@ -69,7 +69,6 @@
 class WebIDClaim(val san: String, val key: PublicKey) {
 
   import WebIDClaim._
-  import XSDDatatype._
 
   private def rsaTest(webid: WebID, rsakey: RSAPublicKey): (Model) => Validation[WebIDVerificationFailure, WebID] = {
     model =>
--- a/src/main/scala/netty/ReadWriteWebNetty.scala	Thu Apr 05 15:38:42 2012 +0200
+++ b/src/main/scala/netty/ReadWriteWebNetty.scala	Mon Apr 09 13:33:46 2012 +0200
@@ -117,10 +117,7 @@
       } catch {
         case _ => NotFound
       }
-
     }
-
-
   }
 
   object publicStatic  extends  cycle.Plan  with cycle.ThreadPool with ServerErrorResponse with StaticFiles {