Open lucasmoten opened 3 years ago
Those lines came directly from the implementation of InvokeHttp: https://github.com/apache/nifi/blob/rel/nifi-1.11.4/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/InvokeHTTP.java#L691-L706
in 1.11.4 it doesnt call setSslSocketFactory at all from setUpClient. thats dead code
The code block looks like this for lines 647-666
final SSLContextService sslService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
final SSLContext sslContext = sslService == null ? null : sslService.createSSLContext(ClientAuth.NONE);
// check if the ssl context is set and add the factory if so
if (sslContext != null) {
Tuple<SSLContext, TrustManager[]> sslContextTuple =SslContextFactory.createTrustSslContextWithTrustManagers(
sslService.getKeyStoreFile(),
sslService.getKeyStorePassword() != null ? sslService.getKeyStorePassword().toCharArray() : null,
sslService.getKeyPassword() != null ? sslService.getKeyPassword().toCharArray() : null,
sslService.getKeyStoreType(),
sslService.getTrustStoreFile(),
sslService.getTrustStorePassword() != null ? sslService.getTrustStorePassword().toCharArray() : null,
sslService.getTrustStoreType(),
SslContextFactory.ClientAuth.NONE,
sslService.getSslAlgorithm());
List<X509TrustManager> x509TrustManagers = Arrays.stream(sslContextTuple.getValue())
.filter(trustManager -> trustManager instanceof X509TrustManager)
.map(trustManager -> (X509TrustManager) trustManager).collect(Collectors.toList());
okHttpClientBuilder.sslSocketFactory(sslContextTuple.getKey().getSocketFactory(), x509TrustManagers.get(0));
}
In 1.12.1, the logic changes again in its lines 761-766
// Apply the TLS configuration if present
final SSLContextService sslService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
if (sslService != null) {
final TlsConfiguration tlsConfiguration = sslService.createTlsConfiguration();
OkHttpClientUtils.applyTlsToOkHttpClientBuilder(tlsConfiguration, okHttpClientBuilder);
}
Needs reassessed for whether NiFi 1.12.1+ code pattern adequately handles setting a Key Password independently of Keystore Password
This same concern may apply to other processors initializing SSL Context in the same way.
There is not adequate support for a Key Password indepdent of the Keystore Password. The NiFi interface allows for specifying both a Keystore Password and a Key Password as shown here
The current implementation in GetPolicies only takes into account the Keystore Password when initializing the key manager https://github.com/greymatter-io/nifi-sdk/blob/main/gmd-sdk/nifi-data-processors/src/main/scala/com/deciphernow/greymatter/data/nifi/processors/GetPolicies.java#L288-L303
The description for Key Password is as follows:
The password for the key. If this is not specified, but the Keystore Filename, Password, and Type are specified, then the Keystore Password will be assumed to be the same as the Key Password.