Package org.apache.solr.util

Class SSLTestConfig

  • public class SSLTestConfig
extends Object
    An SSLConfig that provides SSLConfig and HttpClientUtil.SocketFactoryRegistryProvider for both clients and servers that supports reading key/trust store information directly from resource files provided with the Solr test-framework classes

    • Constructor Summary

      Constructors 
      Constructor Description
      SSLTestConfig()
      Creates an SSLTestConfig that does not use SSL or client authentication
      SSLTestConfig​(boolean useSSL, boolean clientAuth)
      Create an SSLTestConfig based on a few caller specified options, implicitly assuming checkPeerName=false.
      SSLTestConfig​(boolean useSSL, boolean clientAuth, boolean checkPeerName)
      Create an SSLTestConfig based on a few caller specified options.

    • Constructor Detail

      • SSLTestConfig

        public SSLTestConfig()
        Creates an SSLTestConfig that does not use SSL or client authentication

      • SSLTestConfig

        public SSLTestConfig​(boolean useSSL,
                     boolean clientAuth)
        Create an SSLTestConfig based on a few caller specified options, implicitly assuming checkPeerName=false.

        As needed, keystore/truststore information will be pulled from a hardcoded resource file provided by the solr test-framework

        Parameters:
        useSSL - - whether SSL should be required.
        clientAuth - - whether client authentication should be required.

      • SSLTestConfig

        public SSLTestConfig​(boolean useSSL,
                     boolean clientAuth,
                     boolean checkPeerName)
        Create an SSLTestConfig based on a few caller specified options. As needed, keystore/truststore information will be pulled from a hardcoded resource files provided by the solr test-framework based on the value of checkPeerName:
        • true - A keystore resource file will be used that specifies a CN of localhost and a SAN IP of 127.0.0.1, to ensure that all connections should be valid regardless of what machine runs the tests.
        • false - A keystore resource file will be used that specifies a bogus hostname in the CN and reserved IP as the SAN, since no (valid) tests using this SSLTestConfig should care what CN/SAN are.
        Parameters:
        useSSL - - whether SSL should be required.
        clientAuth - - whether client authentication should be required.
        checkPeerName - - whether the client should validate the 'peer name' of the SSL Certificate (and which testing Cert should be used)
        See Also:
        HttpClientUtil.SYS_PROP_CHECK_PEER_NAME

    • Method Detail

      • getCheckPeerName

        public boolean getCheckPeerName()
        If true, then servers hostname/ip should be validated against the SSL Cert metadata

      • isSSLMode

        public boolean isSSLMode()
        All other settings on this object are ignored unless this is true

      • isClientAuthMode

        public boolean isClientAuthMode()

      • buildClientSocketFactoryRegistryProvider

        public org.apache.solr.client.solrj.impl.HttpClientUtil.SocketFactoryRegistryProvider buildClientSocketFactoryRegistryProvider()
        Creates a HttpClientUtil.SocketFactoryRegistryProvider for HTTP clients to use when communicating with servers which have been configured based on the settings of this object. When isSSLMode() is true, this SocketFactoryRegistryProvider will only support HTTPS (no HTTP scheme) using the appropriate certs. When isSSLMode() is false, only HTTP (no HTTPS scheme) will be supported.

      • buildClientSSLConfig

        public org.apache.solr.client.solrj.embedded.SSLConfig buildClientSSLConfig()

      • buildServerSSLConfig

        public org.apache.solr.client.solrj.embedded.SSLConfig buildServerSSLConfig()
        Builds a new SSLContext for jetty servers which have been configured based on the settings of this object.

        NOTE: Uses a completely insecure SecureRandom instance to prevent tests from blocking due to lack of entropy, also explicitly allows the use of self-signed certificates (since that's what is almost always used during testing). almost always used during testing).

      • buildClientSSLConnectionSocketFactory

        public org.apache.http.conn.ssl.SSLConnectionSocketFactory buildClientSSLConnectionSocketFactory()
        Constructs a new SSLConnectionSocketFactory for HTTP clients to use when communicating with servers which have been configured based on the settings of this object. Will return null unless isSSLMode() is true.

      • assumeSslIsSafeToTest

        public static void assumeSslIsSafeToTest()
        Helper method for sanity checking if it's safe to use SSL on this JVM
        Throws:
        org.junit.internal.AssumptionViolatedException - if this JVM is known to have SSL problems
        See Also:
        SOLR-12988