diff --git a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/dsl/signer/EthSignerProcessRunner.java b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/dsl/signer/EthSignerProcessRunner.java index 0b4b645d0..793edeb4b 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/dsl/signer/EthSignerProcessRunner.java +++ b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/dsl/signer/EthSignerProcessRunner.java @@ -238,23 +238,14 @@ private Collection createDownstreamTlsArgs() { params.add(pkcsStoreConfig.getPasswordFile().toString()); }); - clientTlsOptions - .getTrustOptions() - .ifPresent( - downstreamTrustOptions -> { - downstreamTrustOptions - .getKnownServerFile() - .ifPresent( - knownServerFile -> { - params.add("--downstream-http-tls-known-servers-file"); - params.add(knownServerFile.toAbsolutePath().toString()); - }); - - if (!downstreamTrustOptions.isCaAuthRequired()) { - params.add("--downstream-http-tls-ca-auth-enabled"); - params.add("false"); - } - }); + if (clientTlsOptions.getKnownServersFile() != null) { + params.add("--downstream-http-tls-known-servers-file"); + params.add(clientTlsOptions.getKnownServersFile().toAbsolutePath().toString()); + } + if (!clientTlsOptions.isCaAuthEnabled()) { + params.add("--downstream-http-tls-ca-auth-enabled"); + params.add("false"); + } return Collections.unmodifiableCollection(params); } diff --git a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/ClientSideTlsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/ClientSideTlsAcceptanceTest.java index 1fd1e0e18..749c99caf 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/ClientSideTlsAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/ClientSideTlsAcceptanceTest.java @@ -22,7 +22,6 @@ import tech.pegasys.ethsigner.core.config.KeyStoreOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; import tech.pegasys.ethsigner.tests.dsl.node.NodeConfiguration; import tech.pegasys.ethsigner.tests.dsl.node.NodeConfigurationBuilder; import tech.pegasys.ethsigner.tests.dsl.node.NodePorts; @@ -32,7 +31,6 @@ import tech.pegasys.ethsigner.tests.tls.support.MockBalanceReporter; import tech.pegasys.ethsigner.tests.tls.support.TlsEnabledHttpServerFactory; import tech.pegasys.ethsigner.tests.tls.support.client.BasicClientTlsOptions; -import tech.pegasys.ethsigner.tests.tls.support.client.BasicClientTlsTrustOptions; import tech.pegasys.ethsigner.tests.tls.support.client.BasicKeyStoreOptions; import java.io.IOException; @@ -112,10 +110,8 @@ private Signer createSigner( final KeyStoreOptions keyStoreOptions = new BasicKeyStoreOptions(presentedCert.getPkcs12File().toPath(), clientPasswordFile); - final ClientTlsTrustOptions clientTlsTrustOptions = - new BasicClientTlsTrustOptions(fingerPrintFilePath, true); final ClientTlsOptions clientTlsOptions = - new BasicClientTlsOptions(keyStoreOptions, clientTlsTrustOptions); + new BasicClientTlsOptions(keyStoreOptions, fingerPrintFilePath, true); builder.withDownstreamTlsOptions(clientTlsOptions); builder.withHttpRpcPort(listenPort); diff --git a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsOptions.java b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsOptions.java index fafc85d7f..62ea53bb8 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsOptions.java +++ b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsOptions.java @@ -14,18 +14,22 @@ import tech.pegasys.ethsigner.core.config.KeyStoreOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; +import java.nio.file.Path; import java.util.Optional; public class BasicClientTlsOptions implements ClientTlsOptions { private final Optional tlsCertificateOptions; - private final Optional tlsTrustOptions; + private final Path knownServersFile; + private final boolean caAuthEnabled; public BasicClientTlsOptions( - final KeyStoreOptions tlsCertificateOptions, final ClientTlsTrustOptions tlsTrustOptions) { + final KeyStoreOptions tlsCertificateOptions, + final Path knownServersFile, + final boolean caAuthEnabled) { this.tlsCertificateOptions = Optional.ofNullable(tlsCertificateOptions); - this.tlsTrustOptions = Optional.ofNullable(tlsTrustOptions); + this.knownServersFile = knownServersFile; + this.caAuthEnabled = caAuthEnabled; } @Override @@ -34,7 +38,12 @@ public Optional getKeyStoreOptions() { } @Override - public Optional getTrustOptions() { - return tlsTrustOptions; + public Path getKnownServersFile() { + return knownServersFile; + } + + @Override + public boolean isCaAuthEnabled() { + return caAuthEnabled; } } diff --git a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsTrustOptions.java b/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsTrustOptions.java deleted file mode 100644 index d5825a0e0..000000000 --- a/acceptance-tests/src/test/java/tech/pegasys/ethsigner/tests/tls/support/client/BasicClientTlsTrustOptions.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2020 ConsenSys AG. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on - * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the - * specific language governing permissions and limitations under the License. - */ -package tech.pegasys.ethsigner.tests.tls.support.client; - -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; - -import java.nio.file.Path; -import java.util.Optional; - -public class BasicClientTlsTrustOptions implements ClientTlsTrustOptions { - private final Optional knownServerFile; - private final boolean isCaSignedServerCertificateAllowed; - - public BasicClientTlsTrustOptions( - final Path knownServerFile, final boolean isCaSignedServerCertificateAllowed) { - this.knownServerFile = Optional.ofNullable(knownServerFile); - this.isCaSignedServerCertificateAllowed = isCaSignedServerCertificateAllowed; - } - - @Override - public Optional getKnownServerFile() { - return knownServerFile; - } - - @Override - public boolean isCaAuthRequired() { - return isCaSignedServerCertificateAllowed; - } -} diff --git a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/EthSignerBaseCommand.java b/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/EthSignerBaseCommand.java index 11cefe533..4fcfa9f59 100644 --- a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/EthSignerBaseCommand.java +++ b/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/EthSignerBaseCommand.java @@ -22,7 +22,6 @@ import tech.pegasys.ethsigner.core.config.Config; import tech.pegasys.ethsigner.core.config.TlsOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; import tech.pegasys.ethsigner.core.signing.ChainIdProvider; import tech.pegasys.ethsigner.core.signing.ConfigurationChainId; @@ -198,14 +197,11 @@ public String toString() { void validateOptions(final CommandLine commandLine, final Logger logger) { - if (getClientTlsOptions().isPresent() - && getClientTlsOptions().get().getTrustOptions().isPresent()) { - final ClientTlsTrustOptions clientTlsTrustOptions = - getClientTlsOptions().get().getTrustOptions().get(); - final boolean caAuth = clientTlsTrustOptions.isCaAuthRequired(); - final Optional optionsKnownServerFile = clientTlsTrustOptions.getKnownServerFile(); + if (getClientTlsOptions().isPresent()) { + final boolean caAuth = getClientTlsOptions().get().isCaAuthEnabled(); + final Path optionsKnownServerFile = getClientTlsOptions().get().getKnownServersFile(); // validate that combination of options is sensible - if (optionsKnownServerFile.isEmpty() && !caAuth) { + if (optionsKnownServerFile == null && !caAuth) { throw new ParameterException( commandLine, "Missing required argument(s): --downstream-http-tls-known-servers-file must be specified if --downstream-http-tls-ca-auth-enabled=false"); diff --git a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsOptions.java b/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsOptions.java index f95b8fc3b..12ee3dd6b 100644 --- a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsOptions.java +++ b/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsOptions.java @@ -16,7 +16,6 @@ import tech.pegasys.ethsigner.core.config.KeyStoreOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; import java.nio.file.Path; import java.util.Optional; @@ -57,14 +56,12 @@ public Optional getKeyStoreOptions() { } @Override - public Optional getTrustOptions() { - // don't validate here just send options through if present - if (caAuthEnabled && knownServersFile == null) { - return Optional.empty(); - } - PicoCliClientTlsTrustOptions trustOptions = new PicoCliClientTlsTrustOptions(); - trustOptions.setCaAuthEnabled(caAuthEnabled); - trustOptions.setKnownServersFile(knownServersFile); - return Optional.ofNullable(trustOptions); + public boolean isCaAuthEnabled() { + return caAuthEnabled; + } + + @Override + public Path getKnownServersFile() { + return knownServersFile; } } diff --git a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsTrustOptions.java b/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsTrustOptions.java deleted file mode 100644 index 0a28467b3..000000000 --- a/ethsigner/commandline/src/main/java/tech/pegasys/ethsigner/config/tls/client/PicoCliClientTlsTrustOptions.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright 2020 ConsenSys AG. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on - * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the - * specific language governing permissions and limitations under the License. - */ -package tech.pegasys.ethsigner.config.tls.client; - -import static tech.pegasys.ethsigner.DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP; - -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; - -import java.nio.file.Path; -import java.util.Optional; - -import picocli.CommandLine.Option; - -class PicoCliClientTlsTrustOptions implements ClientTlsTrustOptions { - @Option( - names = "--downstream-http-tls-known-servers-file", - description = - "Path to a file containing the hostname, port and certificate fingerprints of web3 providers to trust.", - paramLabel = MANDATORY_FILE_FORMAT_HELP, - required = true, - arity = "1") - private Path knownServersFile; - - @Option( - names = "--downstream-http-tls-ca-auth-enabled", - description = - "If set, will use the system's CA to validate received server certificates. Defaults to enabled.", - arity = "1") - private boolean caAuthEnabled = true; - - @Override - public Optional getKnownServerFile() { - return Optional.ofNullable(knownServersFile); - } - - @Override - public boolean isCaAuthRequired() { - return caAuthEnabled; - } - - public void setCaAuthEnabled(final boolean caAuthEnabled) { - this.caAuthEnabled = caAuthEnabled; - } - - public void setKnownServersFile(final Path knownServersFile) { - this.knownServersFile = knownServersFile; - } -} diff --git a/ethsigner/commandline/src/test/java/tech/pegasys/ethsigner/CommandlineParserClientTlsOptionsTest.java b/ethsigner/commandline/src/test/java/tech/pegasys/ethsigner/CommandlineParserClientTlsOptionsTest.java index 1fd1930d4..355a5a985 100644 --- a/ethsigner/commandline/src/test/java/tech/pegasys/ethsigner/CommandlineParserClientTlsOptionsTest.java +++ b/ethsigner/commandline/src/test/java/tech/pegasys/ethsigner/CommandlineParserClientTlsOptionsTest.java @@ -20,7 +20,6 @@ import tech.pegasys.ethsigner.core.config.KeyStoreOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; import java.io.ByteArrayOutputStream; import java.io.PrintStream; @@ -72,7 +71,7 @@ void cmdLineIsValidIfOnlyDownstreamTlsIsEnabled() { assertThat(optionalDownstreamTlsOptions.isPresent()).as("Downstream TLS Options").isTrue(); assertThat(optionalDownstreamTlsOptions.isPresent()).as("TLS Enabled").isTrue(); - assertThat(optionalDownstreamTlsOptions.get().getTrustOptions().isEmpty()).isTrue(); + assertThat(optionalDownstreamTlsOptions.get().getKnownServersFile()).isNull(); assertThat(optionalDownstreamTlsOptions.get().getKeyStoreOptions().isEmpty()).isTrue(); } @@ -107,10 +106,8 @@ void cmdLineIsValidWithAllTlsOptions() { assertThat(optionalDownstreamTlsOptions.isPresent()).as("Downstream TLS Options").isTrue(); final ClientTlsOptions clientTlsOptions = optionalDownstreamTlsOptions.get(); - assertThat(clientTlsOptions.getTrustOptions().isPresent()).isTrue(); - final ClientTlsTrustOptions clientTlsTrustOptions = clientTlsOptions.getTrustOptions().get(); - assertThat(clientTlsTrustOptions.getKnownServerFile().get()).isEqualTo(Path.of("./test.txt")); - assertThat(clientTlsTrustOptions.isCaAuthRequired()).isFalse(); + assertThat(clientTlsOptions.getKnownServersFile()).isEqualTo(Path.of("./test.txt")); + assertThat(clientTlsOptions.isCaAuthEnabled()).isFalse(); final KeyStoreOptions keyStoreOptions = clientTlsOptions.getKeyStoreOptions().get(); assertThat(keyStoreOptions.getKeyStoreFile()).isEqualTo(Path.of("./test.ks")); @@ -161,9 +158,8 @@ void cmdLineIsValidWhenTlsClientCertificateOptionsAreMissing() { assertThat(result).isTrue(); final ClientTlsOptions clientTlsOptions = config.getClientTlsOptions().get(); - final ClientTlsTrustOptions clientTlsTrustOptions = clientTlsOptions.getTrustOptions().get(); - assertThat(clientTlsTrustOptions.getKnownServerFile().get()).isEqualTo(Path.of("./test.txt")); - assertThat(clientTlsTrustOptions.isCaAuthRequired()).isFalse(); + assertThat(clientTlsOptions.getKnownServersFile()).isEqualTo(Path.of("./test.txt")); + assertThat(clientTlsOptions.isCaAuthEnabled()).isFalse(); assertThat(clientTlsOptions.getKeyStoreOptions().isEmpty()).isTrue(); } @@ -182,10 +178,8 @@ void cmdLineIsValidIfOnlyDownstreamKnownServerIsSpecified() { assertThat(result).isTrue(); final ClientTlsOptions clientTlsOptions = config.getClientTlsOptions().get(); - assertThat(clientTlsOptions.getTrustOptions().isPresent()).isTrue(); - final ClientTlsTrustOptions clientTlsTrustOptions = clientTlsOptions.getTrustOptions().get(); - assertThat(clientTlsTrustOptions.getKnownServerFile().get()).isEqualTo(Path.of("./test.txt")); - assertThat(clientTlsTrustOptions.isCaAuthRequired()).isTrue(); + assertThat(clientTlsOptions.getKnownServersFile()).isEqualTo(Path.of("./test.txt")); + assertThat(clientTlsOptions.isCaAuthEnabled()).isTrue(); assertThat(clientTlsOptions.getKeyStoreOptions().isEmpty()).isTrue(); } diff --git a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/WebClientOptionsFactory.java b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/WebClientOptionsFactory.java index e68f358b4..cb64e7fad 100644 --- a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/WebClientOptionsFactory.java +++ b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/WebClientOptionsFactory.java @@ -17,7 +17,6 @@ import tech.pegasys.ethsigner.core.config.Config; import tech.pegasys.ethsigner.core.config.KeyStoreOptions; import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsOptions; -import tech.pegasys.ethsigner.core.config.tls.client.ClientTlsTrustOptions; import tech.pegasys.ethsigner.core.util.FileUtil; import java.io.IOException; @@ -48,29 +47,25 @@ private void applyTlsOptions(final WebClientOptions webClientOptions, final Conf final ClientTlsOptions clientTlsOptions = optionalClientTlsOptions.get(); - applyTrustOptions(webClientOptions, clientTlsOptions.getTrustOptions()); + applyTrustOptions( + webClientOptions, + clientTlsOptions.getKnownServersFile(), + clientTlsOptions.isCaAuthEnabled()); applyKeyStoreOptions(webClientOptions, clientTlsOptions.getKeyStoreOptions()); } private void applyTrustOptions( final WebClientOptions webClientOptions, - final Optional optionalTrustOptions) { + final Path knownServerFile, + final boolean caAuthEnabled) { - if (optionalTrustOptions.isEmpty()) { - return; // CA trust is enabled by default. - } - - final Optional optionalKnownServerFile = optionalTrustOptions.get().getKnownServerFile(); - final boolean caAuthRequired = optionalTrustOptions.get().isCaAuthRequired(); - - if (optionalKnownServerFile.isEmpty() && !caAuthRequired) { + if (knownServerFile == null && !caAuthEnabled) { throw new InitializationException( "Must specify a known-server file if CA-signed option is disabled"); } try { - webClientOptions.setTrustOptions( - whitelistServers(optionalKnownServerFile.get(), caAuthRequired)); + webClientOptions.setTrustOptions(whitelistServers(knownServerFile, caAuthEnabled)); } catch (RuntimeException e) { throw new InitializationException("Failed to load known server file.", e); } diff --git a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsOptions.java b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsOptions.java index b55c50985..9824ddd4a 100644 --- a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsOptions.java +++ b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsOptions.java @@ -14,10 +14,13 @@ import tech.pegasys.ethsigner.core.config.KeyStoreOptions; +import java.nio.file.Path; import java.util.Optional; public interface ClientTlsOptions { Optional getKeyStoreOptions(); - Optional getTrustOptions(); + Path getKnownServersFile(); + + boolean isCaAuthEnabled(); } diff --git a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsTrustOptions.java b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsTrustOptions.java deleted file mode 100644 index 0f0c4ab63..000000000 --- a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/config/tls/client/ClientTlsTrustOptions.java +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright 2020 ConsenSys AG. - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on - * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the - * specific language governing permissions and limitations under the License. - */ -package tech.pegasys.ethsigner.core.config.tls.client; - -import java.nio.file.Path; -import java.util.Optional; - -public interface ClientTlsTrustOptions { - Optional getKnownServerFile(); - - boolean isCaAuthRequired(); -}