Merge pull request #126 from zhenlineo/1.0-tls

Update config API for TLS to match DIP

Author: jakewins

driver/src/main/java/org/neo4j/driver/internal/connector/socket/SSLContextFactory.java

@@ -27,35 +27,34 @@
 import javax.net.ssl.TrustManagerFactory;
 
 import org.neo4j.driver.v1.Config;
+import org.neo4j.driver.v1.exceptions.ClientException;
+import org.neo4j.driver.internal.spi.Logger;
 
 import static org.neo4j.driver.internal.util.CertificateTool.loadX509Cert;
 
 class SSLContextFactory
 {
-
     private final String host;
     private final int port;
-    private final Config.TlsAuthenticationConfig authConfig;
+    private final Config.TrustStrategy authConfig;
+    private final Logger logger;
 
-    SSLContextFactory( String host, int port, Config.TlsAuthenticationConfig authConfig )
+    SSLContextFactory( String host, int port, Config.TrustStrategy authConfig, Logger logger )
     {
         this.host = host;
         this.port = port;
         this.authConfig = authConfig;
+        this.logger = logger;
     }
 
     public SSLContext create()
             throws GeneralSecurityException, IOException
     {
         SSLContext sslContext = SSLContext.getInstance( "TLS" );
+        TrustManager[] trustManagers;
 
-        // TODO Do we also want the server to verify the client's cert, a.k.a mutual authentication?
-        // Ref: http://logicoy.com/blogs/ssl-keystore-truststore-and-mutual-authentication/
-        KeyManager[] keyManagers = new KeyManager[0];
-        TrustManager[] trustManagers = null;
-
-        if ( authConfig.isFullAuthEnabled() )
-        {
+        switch ( authConfig.strategy() ) {
+        case TRUST_SIGNED_CERTIFICATES:
             // A certificate file is specified so we will load the certificates in the file
             // Init a in memory TrustedKeyStore
             KeyStore trustedKeyStore = KeyStore.getInstance( "JKS" );
@@ -68,13 +67,15 @@ public SSLContext create()
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( "SunX509" );
             trustManagerFactory.init( trustedKeyStore );
             trustManagers = trustManagerFactory.getTrustManagers();
-        }
-        else
-        {
-            trustManagers = new TrustManager[]{new TrustOnFirstUseTrustManager( host, port, authConfig.certFile() )};
+            break;
+        case TRUST_ON_FIRST_USE:
+            trustManagers = new TrustManager[]{new TrustOnFirstUseTrustManager( host, port, authConfig.certFile(), logger )};
+            break;
+        default:
+            throw new ClientException( "Unknown TLS authentication strategy: " + authConfig.strategy().name() );
         }
 
-        sslContext.init( keyManagers, trustManagers, null );
+        sslContext.init( new KeyManager[0], trustManagers, null );
         return sslContext;
     }
 }

driver/src/main/java/org/neo4j/driver/internal/connector/socket/SocketClient.java

@@ -220,15 +220,22 @@ public static ByteChannel create( String host, int port, Config config, Logger l
             soChannel.setOption( StandardSocketOptions.SO_KEEPALIVE, true );
             soChannel.connect( new InetSocketAddress( host, port ) );
 
-            ByteChannel channel = null;
+            ByteChannel channel;
 
-            if( config.isTlsEnabled() )
+            switch ( config.encryptionLevel() )
             {
-                channel = new SSLSocketChannel( host, port, soChannel, logger, config.tlsAuthConfig() );
+            case REQUIRED:
+            {
+                channel = new TLSSocketChannel( host, port, soChannel, logger, config.trustStrategy() );
+                break;
             }
-            else
+            case NONE:
             {
                 channel = new AllOrNothingChannel( soChannel );
+                break;
+            }
+            default:
+                throw new ClientException( "Unknown TLS Level: " + config.encryptionLevel() );
             }
 
             if( logger.isTraceEnabled() )

driver/src/main/java/org/neo4j/driver/internal/connector/socket/SocketConnector.java

@@ -30,16 +30,19 @@
 
 public class SocketConnector implements Connector
 {
+    public static final String SCHEME = "bolt";
+    public static final int DEFAULT_PORT = 7687;
+
     @Override
     public boolean supports( String scheme )
     {
-        return scheme.equals( Config.SCHEME );
+        return scheme.equals( SCHEME );
     }
 
     @Override
     public Connection connect( URI sessionURI, Config config ) throws ClientException
     {
-        int port = sessionURI.getPort() == -1 ? Config.DEFAULT_PORT : sessionURI.getPort();
+        int port = sessionURI.getPort() == -1 ? DEFAULT_PORT : sessionURI.getPort();
         SocketConnection conn = new SocketConnection( sessionURI.getHost(), port, config );
         conn.init( "bolt-java-driver/" + Version.driverVersion() );
         return conn;
@@ -48,6 +51,6 @@ public Connection connect( URI sessionURI, Config config ) throws ClientExceptio
     @Override
     public Collection<String> supportedSchemes()
     {
-        return Collections.singletonList( Config.SCHEME );
+        return Collections.singletonList( SCHEME );
     }
 }

driver/src/main/java/org/neo4j/driver/internal/connector/socket/SSLSocketChannel.java renamed to driver/src/main/java/org/neo4j/driver/internal/connector/socket/TLSSocketChannel.java

@@ -32,14 +32,14 @@
 
 import org.neo4j.driver.internal.spi.Logger;
 import org.neo4j.driver.internal.util.BytePrinter;
-import org.neo4j.driver.v1.Config.TlsAuthenticationConfig;
+import org.neo4j.driver.v1.Config.TrustStrategy;
 import org.neo4j.driver.v1.exceptions.ClientException;
 
 import static javax.net.ssl.SSLEngineResult.HandshakeStatus.FINISHED;
 import static javax.net.ssl.SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
 
 /**
- * A blocking SSL socket channel.
+ * A blocking TLS socket channel.
  *
  * When debugging, we could enable JSSE system debugging by setting system property:
  * {@code -Djavax.net.debug=all} to value more information about handshake messages and other operations underway.
@@ -49,7 +49,7 @@
  * http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SSLENG
  * http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html
  */
-public class SSLSocketChannel implements ByteChannel
+public class TLSSocketChannel implements ByteChannel
 {
     private final SocketChannel channel;      // The real channel the data is sent to and read from
     private final Logger logger;
@@ -64,25 +64,25 @@ public class SSLSocketChannel implements ByteChannel
     private ByteBuffer plainIn;
     private ByteBuffer plainOut;
 
-    public SSLSocketChannel( String host, int port, SocketChannel channel, Logger logger,
-            TlsAuthenticationConfig authConfig )
+    public TLSSocketChannel( String host, int port, SocketChannel channel, Logger logger,
+                             TrustStrategy trustStrategy )
             throws GeneralSecurityException, IOException
     {
         logger.debug( "TLS connection enabled" );
         this.logger = logger;
         this.channel = channel;
         this.channel.configureBlocking( true );
 
-        sslContext =  new SSLContextFactory( host, port, authConfig ).create();
+        sslContext =  new SSLContextFactory( host, port, trustStrategy, logger ).create();
         createSSLEngine( host, port );
         createBuffers();
-        runSSLHandShake();
+        runHandshake();
         logger.debug( "TLS connection established" );
     }
 
     /** Used in internal tests only */
-    SSLSocketChannel( SocketChannel channel, Logger logger, SSLEngine sslEngine,
-            ByteBuffer plainIn, ByteBuffer cipherIn, ByteBuffer plainOut, ByteBuffer cipherOut )
+    TLSSocketChannel( SocketChannel channel, Logger logger, SSLEngine sslEngine,
+                      ByteBuffer plainIn, ByteBuffer cipherIn, ByteBuffer plainOut, ByteBuffer cipherOut )
             throws GeneralSecurityException, IOException
     {
         logger.debug( "Testing TLS buffers" );
@@ -109,7 +109,7 @@ public SSLSocketChannel( String host, int port, SocketChannel channel, Logger lo
      *
      * @throws IOException
      */
-    private void runSSLHandShake() throws IOException
+    private void runHandshake() throws IOException
     {
         sslEngine.beginHandshake();
         HandshakeStatus handshakeStatus = sslEngine.getHandshakeStatus();