diff --git a/build.gradle b/build.gradle index c817c9c2c..d1c5de135 100644 --- a/build.gradle +++ b/build.gradle @@ -22,7 +22,7 @@ buildscript { maven { url "https://plugins.gradle.org/m2/" } } dependencies { - classpath 'com.netflix.spinnaker.gradle:spinnaker-gradle-project:3.13.0' + classpath 'com.netflix.spinnaker.gradle:spinnaker-gradle-project:3.16.0' } } @@ -34,7 +34,7 @@ allprojects { group = 'com.netflix.spinnaker.kork' ext { - spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.91.0' + spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.106.0-rc.1-springBoot154' } def checkLocalVersions = [spinnakerDependenciesVersion: spinnakerDependenciesVersion] diff --git a/kork-core/src/main/java/com/netflix/spinnaker/kork/metrics/SpectatorConfiguration.java b/kork-core/src/main/java/com/netflix/spinnaker/kork/metrics/SpectatorConfiguration.java index 22d368b66..a63af62d4 100644 --- a/kork-core/src/main/java/com/netflix/spinnaker/kork/metrics/SpectatorConfiguration.java +++ b/kork-core/src/main/java/com/netflix/spinnaker/kork/metrics/SpectatorConfiguration.java @@ -62,7 +62,7 @@ MetricsController metricsController(Registry registry) { @Bean @Primary - @ConditionalOnMissingClass(name = "org.springframework.messaging.MessageChannel") + @ConditionalOnMissingClass("org.springframework.messaging.MessageChannel") @ConditionalOnMissingBean(name = "primaryMetricWriter") public MetricWriter primaryMetricWriter(List writers) { return new CompositeMetricWriter(writers); diff --git a/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy b/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy index 8c84b43a5..05bb448ee 100644 --- a/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy +++ b/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy @@ -23,6 +23,7 @@ import groovy.util.logging.Slf4j import org.apache.catalina.connector.Connector import org.apache.coyote.http11.AbstractHttp11JsseProtocol import org.apache.coyote.http11.Http11NioProtocol +import org.apache.tomcat.util.net.SSLHostConfig import org.springframework.boot.actuate.endpoint.ResolvedEnvironmentEndpoint import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression import org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer @@ -61,11 +62,13 @@ class TomcatConfiguration { def handler = connector.getProtocolHandler() if (handler instanceof AbstractHttp11JsseProtocol) { if (handler.isSSLEnabled()) { - handler.setProperty("useServerCipherSuitesOrder", "true") - handler.setProperty("sslEnabledProtocols", okHttpClientConfigurationProperties.tlsVersions.join(",")) - handler.setCiphers(okHttpClientConfigurationProperties.cipherSuites.join(",")) - handler.setSslImplementationName(BlacklistingSSLImplementation.name) - handler.setCrlFile(sslExtensionConfigurationProperties.getCrlFile()) + SSLHostConfig sslHostConfig = new SSLHostConfig(); + sslHostConfig.setHonorCipherOrder("true") + sslHostConfig.ciphers = okHttpClientConfigurationProperties.cipherSuites.join(",") + sslHostConfig.setProtocols(okHttpClientConfigurationProperties.tlsVersions.join(",")) + sslHostConfig.setTrustManagerClassName(BlacklistingSSLImplementation.name) + sslHostConfig.setCertificateRevocationListFile(sslExtensionConfigurationProperties.getCrlFile()) + handler.addSslHostConfig(sslHostConfig) } } } diff --git a/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingJSSESocketFactory.java b/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingJSSESocketFactory.java index 2563ed97c..3b44b4686 100644 --- a/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingJSSESocketFactory.java +++ b/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingJSSESocketFactory.java @@ -16,27 +16,27 @@ package com.netflix.spinnaker.tomcat.x509; -import org.apache.tomcat.util.net.AbstractEndpoint; -import org.apache.tomcat.util.net.jsse.JSSESocketFactory; +import org.apache.tomcat.util.net.SSLHostConfigCertificate; +import org.apache.tomcat.util.net.jsse.JSSEUtil; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.util.Optional; -public class BlacklistingJSSESocketFactory extends JSSESocketFactory { +public class BlacklistingJSSESocketFactory extends JSSEUtil { private static final String BLACKLIST_PREFIX = "blacklist:"; private final Blacklist blacklist; - public BlacklistingJSSESocketFactory(AbstractEndpoint endpoint) { - super(endpoint); - String blacklistFile = Optional.ofNullable(endpoint.getCrlFile()) + public BlacklistingJSSESocketFactory(SSLHostConfigCertificate certificate) { + super(certificate); + String blacklistFile = Optional.ofNullable(certificate.getSSLHostConfig().getCertificateRevocationListFile()) .filter(file -> file.startsWith(BLACKLIST_PREFIX)) .map(file -> file.substring(BLACKLIST_PREFIX.length())) .orElse(null); if (blacklistFile != null) { - endpoint.setCrlFile(null); + certificate.getSSLHostConfig().setCertificateRevocationListFile(null); blacklist = Blacklist.forFile(blacklistFile); } else { blacklist = null; diff --git a/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingSSLImplementation.java b/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingSSLImplementation.java index e96a23852..58ede4d90 100644 --- a/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingSSLImplementation.java +++ b/kork-web/src/main/groovy/com/netflix/spinnaker/tomcat/x509/BlacklistingSSLImplementation.java @@ -16,9 +16,8 @@ package com.netflix.spinnaker.tomcat.x509; -import org.apache.tomcat.util.net.AbstractEndpoint; +import org.apache.tomcat.util.net.SSLHostConfigCertificate; import org.apache.tomcat.util.net.SSLUtil; -import org.apache.tomcat.util.net.ServerSocketFactory; import org.apache.tomcat.util.net.jsse.JSSEImplementation; /** @@ -35,13 +34,9 @@ * revoked certificates. */ public class BlacklistingSSLImplementation extends JSSEImplementation { - @Override - public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) { - return new BlacklistingJSSESocketFactory(endpoint); - } @Override - public SSLUtil getSSLUtil(AbstractEndpoint endpoint) { - return new BlacklistingJSSESocketFactory(endpoint); + public SSLUtil getSSLUtil(SSLHostConfigCertificate certificate) { + return new BlacklistingJSSESocketFactory(certificate); } }