Skip to content

Commit

Permalink
Update RevocationStrategy name to RevocationCheckingStrategy (#1283)
Browse files Browse the repository at this point in the history
  • Loading branch information
injectives authored Aug 3, 2022
1 parent 51ec3f3 commit d0263ba
Show file tree
Hide file tree
Showing 9 changed files with 68 additions and 62 deletions.
12 changes: 6 additions & 6 deletions driver/src/main/java/org/neo4j/driver/Config.java
Original file line number Diff line number Diff line change
Expand Up @@ -691,7 +691,7 @@ public enum Strategy {
private final Strategy strategy;
private final List<File> certFiles;
private boolean hostnameVerificationEnabled = true;
private RevocationStrategy revocationStrategy = RevocationStrategy.NO_CHECKS;
private RevocationCheckingStrategy revocationCheckingStrategy = RevocationCheckingStrategy.NO_CHECKS;

private TrustStrategy(Strategy strategy) {
this(strategy, Collections.emptyList());
Expand Down Expand Up @@ -802,8 +802,8 @@ public static TrustStrategy trustAllCertificates() {
* The revocation strategy used for verifying certificates.
* @return this {@link TrustStrategy}'s revocation strategy
*/
public RevocationStrategy revocationStrategy() {
return revocationStrategy;
public RevocationCheckingStrategy revocationCheckingStrategy() {
return revocationCheckingStrategy;
}

/**
Expand All @@ -812,7 +812,7 @@ public RevocationStrategy revocationStrategy() {
* @return the current trust strategy
*/
public TrustStrategy withoutCertificateRevocationChecks() {
this.revocationStrategy = RevocationStrategy.NO_CHECKS;
this.revocationCheckingStrategy = RevocationCheckingStrategy.NO_CHECKS;
return this;
}

Expand All @@ -824,7 +824,7 @@ public TrustStrategy withoutCertificateRevocationChecks() {
* @return the current trust strategy
*/
public TrustStrategy withVerifyIfPresentRevocationChecks() {
this.revocationStrategy = RevocationStrategy.VERIFY_IF_PRESENT;
this.revocationCheckingStrategy = RevocationCheckingStrategy.VERIFY_IF_PRESENT;
return this;
}

Expand All @@ -838,7 +838,7 @@ public TrustStrategy withVerifyIfPresentRevocationChecks() {
* @return the current trust strategy
*/
public TrustStrategy withStrictRevocationChecks() {
this.revocationStrategy = RevocationStrategy.STRICT;
this.revocationCheckingStrategy = RevocationCheckingStrategy.STRICT;
return this;
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,18 @@
*/
package org.neo4j.driver;

public enum RevocationStrategy {
/**
* Defines strategy for revocation checks.
*/
public enum RevocationCheckingStrategy {
/** Don't do any OCSP revocation checks, regardless whether there are stapled revocation statuses or not. */
NO_CHECKS,
/** Verify OCSP revocation checks when the revocation status is stapled to the certificate, continue if not. */
VERIFY_IF_PRESENT,
/** Require stapled revocation status and verify OCSP revocation checks, fail if no revocation status is stapled to the certificate. */
STRICT;

public static boolean requiresRevocationChecking(RevocationStrategy revocationStrategy) {
return revocationStrategy.equals(STRICT) || revocationStrategy.equals(VERIFY_IF_PRESENT);
public static boolean requiresRevocationChecking(RevocationCheckingStrategy revocationCheckingStrategy) {
return revocationCheckingStrategy.equals(STRICT) || revocationCheckingStrategy.equals(VERIFY_IF_PRESENT);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
import java.io.Serializable;
import java.security.GeneralSecurityException;
import org.neo4j.driver.Config;
import org.neo4j.driver.RevocationStrategy;
import org.neo4j.driver.RevocationCheckingStrategy;
import org.neo4j.driver.exceptions.ClientException;
import org.neo4j.driver.internal.security.SecurityPlan;
import org.neo4j.driver.internal.security.SecurityPlanImpl;
Expand Down Expand Up @@ -67,7 +67,7 @@ private boolean hasEqualTrustStrategy(SecuritySettings other) {
return t1.isHostnameVerificationEnabled() == t2.isHostnameVerificationEnabled()
&& t1.strategy() == t2.strategy()
&& t1.certFiles().equals(t2.certFiles())
&& t1.revocationStrategy() == t2.revocationStrategy();
&& t1.revocationCheckingStrategy() == t2.revocationCheckingStrategy();
}

public SecurityPlan createSecurityPlan(String uriScheme) {
Expand All @@ -93,9 +93,9 @@ private void assertSecuritySettingsNotUserConfigured(String uriScheme) {

private SecurityPlan createSecurityPlanFromScheme(String scheme) throws GeneralSecurityException, IOException {
if (isHighTrustScheme(scheme)) {
return SecurityPlanImpl.forSystemCASignedCertificates(true, RevocationStrategy.NO_CHECKS);
return SecurityPlanImpl.forSystemCASignedCertificates(true, RevocationCheckingStrategy.NO_CHECKS);
} else {
return SecurityPlanImpl.forAllCertificates(false, RevocationStrategy.NO_CHECKS);
return SecurityPlanImpl.forAllCertificates(false, RevocationCheckingStrategy.NO_CHECKS);
}
}

Expand All @@ -107,16 +107,16 @@ private static SecurityPlan createSecurityPlanImpl(boolean encrypted, Config.Tru
throws GeneralSecurityException, IOException {
if (encrypted) {
boolean hostnameVerificationEnabled = trustStrategy.isHostnameVerificationEnabled();
RevocationStrategy revocationStrategy = trustStrategy.revocationStrategy();
RevocationCheckingStrategy revocationCheckingStrategy = trustStrategy.revocationCheckingStrategy();
switch (trustStrategy.strategy()) {
case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
return SecurityPlanImpl.forCustomCASignedCertificates(
trustStrategy.certFiles(), hostnameVerificationEnabled, revocationStrategy);
trustStrategy.certFiles(), hostnameVerificationEnabled, revocationCheckingStrategy);
case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
return SecurityPlanImpl.forSystemCASignedCertificates(
hostnameVerificationEnabled, revocationStrategy);
hostnameVerificationEnabled, revocationCheckingStrategy);
case TRUST_ALL_CERTIFICATES:
return SecurityPlanImpl.forAllCertificates(hostnameVerificationEnabled, revocationStrategy);
return SecurityPlanImpl.forAllCertificates(hostnameVerificationEnabled, revocationCheckingStrategy);
default:
throw new ClientException("Unknown TLS authentication strategy: "
+ trustStrategy.strategy().name());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
package org.neo4j.driver.internal.security;

import javax.net.ssl.SSLContext;
import org.neo4j.driver.RevocationStrategy;
import org.neo4j.driver.RevocationCheckingStrategy;

/**
* A SecurityPlan consists of encryption and trust details.
Expand All @@ -31,5 +31,5 @@ public interface SecurityPlan {

boolean requiresHostnameVerification();

RevocationStrategy revocationStrategy();
RevocationCheckingStrategy revocationCheckingStrategy();
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
*/
package org.neo4j.driver.internal.security;

import static org.neo4j.driver.RevocationStrategy.VERIFY_IF_PRESENT;
import static org.neo4j.driver.RevocationStrategy.requiresRevocationChecking;
import static org.neo4j.driver.RevocationCheckingStrategy.VERIFY_IF_PRESENT;
import static org.neo4j.driver.RevocationCheckingStrategy.requiresRevocationChecking;
import static org.neo4j.driver.internal.util.CertificateTool.loadX509Cert;

import java.io.File;
Expand All @@ -41,36 +41,39 @@
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.neo4j.driver.RevocationStrategy;
import org.neo4j.driver.RevocationCheckingStrategy;

/**
* A SecurityPlan consists of encryption and trust details.
*/
public class SecurityPlanImpl implements SecurityPlan {
public static SecurityPlan forAllCertificates(
boolean requiresHostnameVerification, RevocationStrategy revocationStrategy)
boolean requiresHostnameVerification, RevocationCheckingStrategy revocationCheckingStrategy)
throws GeneralSecurityException {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[0], new TrustManager[] {new TrustAllTrustManager()}, null);

return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationStrategy);
return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationCheckingStrategy);
}

public static SecurityPlan forCustomCASignedCertificates(
List<File> certFiles, boolean requiresHostnameVerification, RevocationStrategy revocationStrategy)
List<File> certFiles,
boolean requiresHostnameVerification,
RevocationCheckingStrategy revocationCheckingStrategy)
throws GeneralSecurityException, IOException {
SSLContext sslContext = configureSSLContext(certFiles, revocationStrategy);
return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationStrategy);
SSLContext sslContext = configureSSLContext(certFiles, revocationCheckingStrategy);
return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationCheckingStrategy);
}

public static SecurityPlan forSystemCASignedCertificates(
boolean requiresHostnameVerification, RevocationStrategy revocationStrategy)
boolean requiresHostnameVerification, RevocationCheckingStrategy revocationCheckingStrategy)
throws GeneralSecurityException, IOException {
SSLContext sslContext = configureSSLContext(Collections.emptyList(), revocationStrategy);
return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationStrategy);
SSLContext sslContext = configureSSLContext(Collections.emptyList(), revocationCheckingStrategy);
return new SecurityPlanImpl(true, sslContext, requiresHostnameVerification, revocationCheckingStrategy);
}

private static SSLContext configureSSLContext(List<File> customCertFiles, RevocationStrategy revocationStrategy)
private static SSLContext configureSSLContext(
List<File> customCertFiles, RevocationCheckingStrategy revocationCheckingStrategy)
throws GeneralSecurityException, IOException {
KeyStore trustedKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustedKeyStore.load(null, null);
Expand All @@ -83,7 +86,7 @@ private static SSLContext configureSSLContext(List<File> customCertFiles, Revoca
}

PKIXBuilderParameters pkixBuilderParameters =
configurePKIXBuilderParameters(trustedKeyStore, revocationStrategy);
configurePKIXBuilderParameters(trustedKeyStore, revocationCheckingStrategy);

SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory =
Expand All @@ -101,11 +104,11 @@ private static SSLContext configureSSLContext(List<File> customCertFiles, Revoca
}

private static PKIXBuilderParameters configurePKIXBuilderParameters(
KeyStore trustedKeyStore, RevocationStrategy revocationStrategy)
KeyStore trustedKeyStore, RevocationCheckingStrategy revocationCheckingStrategy)
throws InvalidAlgorithmParameterException, KeyStoreException {
PKIXBuilderParameters pkixBuilderParameters = null;

if (requiresRevocationChecking(revocationStrategy)) {
if (requiresRevocationChecking(revocationCheckingStrategy)) {
// Configure certificate revocation checking (X509CertSelector() selects all certificates)
pkixBuilderParameters = new PKIXBuilderParameters(trustedKeyStore, new X509CertSelector());

Expand All @@ -115,7 +118,7 @@ private static PKIXBuilderParameters configurePKIXBuilderParameters(
// enables status_request extension in client hello
System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true");

if (revocationStrategy.equals(VERIFY_IF_PRESENT)) {
if (revocationCheckingStrategy.equals(VERIFY_IF_PRESENT)) {
// enables soft-fail behaviour if no stapled response found.
Security.setProperty("ocsp.enable", "true");
}
Expand Down Expand Up @@ -146,23 +149,23 @@ private static void loadSystemCertificates(KeyStore trustedKeyStore) throws Gene
}

public static SecurityPlan insecure() {
return new SecurityPlanImpl(false, null, false, RevocationStrategy.NO_CHECKS);
return new SecurityPlanImpl(false, null, false, RevocationCheckingStrategy.NO_CHECKS);
}

private final boolean requiresEncryption;
private final SSLContext sslContext;
private final boolean requiresHostnameVerification;
private final RevocationStrategy revocationStrategy;
private final RevocationCheckingStrategy revocationCheckingStrategy;

private SecurityPlanImpl(
boolean requiresEncryption,
SSLContext sslContext,
boolean requiresHostnameVerification,
RevocationStrategy revocationStrategy) {
RevocationCheckingStrategy revocationCheckingStrategy) {
this.requiresEncryption = requiresEncryption;
this.sslContext = sslContext;
this.requiresHostnameVerification = requiresHostnameVerification;
this.revocationStrategy = revocationStrategy;
this.revocationCheckingStrategy = revocationCheckingStrategy;
}

@Override
Expand All @@ -181,8 +184,8 @@ public boolean requiresHostnameVerification() {
}

@Override
public RevocationStrategy revocationStrategy() {
return revocationStrategy;
public RevocationCheckingStrategy revocationCheckingStrategy() {
return revocationCheckingStrategy;
}

private static class TrustAllTrustManager implements X509TrustManager {
Expand Down
18 changes: 9 additions & 9 deletions driver/src/test/java/org/neo4j/driver/ConfigTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.mock;
import static org.neo4j.driver.RevocationStrategy.NO_CHECKS;
import static org.neo4j.driver.RevocationStrategy.STRICT;
import static org.neo4j.driver.RevocationStrategy.VERIFY_IF_PRESENT;
import static org.neo4j.driver.RevocationCheckingStrategy.NO_CHECKS;
import static org.neo4j.driver.RevocationCheckingStrategy.STRICT;
import static org.neo4j.driver.RevocationCheckingStrategy.VERIFY_IF_PRESENT;
import static org.neo4j.driver.internal.handlers.pulln.FetchSizeUtil.DEFAULT_FETCH_SIZE;

import java.io.File;
Expand Down Expand Up @@ -282,16 +282,16 @@ void shouldEnableAndDisableHostnameVerificationOnTrustStrategy() {
@Test
void shouldEnableAndDisableCertificateRevocationChecksOnTestStrategy() {
Config.TrustStrategy trustStrategy = Config.TrustStrategy.trustSystemCertificates();
assertEquals(NO_CHECKS, trustStrategy.revocationStrategy());
assertEquals(NO_CHECKS, trustStrategy.revocationCheckingStrategy());

assertSame(trustStrategy, trustStrategy.withoutCertificateRevocationChecks());
assertEquals(NO_CHECKS, trustStrategy.revocationStrategy());
assertEquals(NO_CHECKS, trustStrategy.revocationCheckingStrategy());

assertSame(trustStrategy, trustStrategy.withStrictRevocationChecks());
assertEquals(STRICT, trustStrategy.revocationStrategy());
assertEquals(STRICT, trustStrategy.revocationCheckingStrategy());

assertSame(trustStrategy, trustStrategy.withVerifyIfPresentRevocationChecks());
assertEquals(VERIFY_IF_PRESENT, trustStrategy.revocationStrategy());
assertEquals(VERIFY_IF_PRESENT, trustStrategy.revocationCheckingStrategy());
}

@Test
Expand Down Expand Up @@ -429,8 +429,8 @@ void shouldSerialize() throws Exception {
config.trustStrategy().isHostnameVerificationEnabled(),
verify.trustStrategy().isHostnameVerificationEnabled());
assertEquals(
config.trustStrategy().revocationStrategy(),
verify.trustStrategy().revocationStrategy());
config.trustStrategy().revocationCheckingStrategy(),
verify.trustStrategy().revocationCheckingStrategy());
assertEquals(config.userAgent(), verify.userAgent());
assertEquals(config.isMetricsEnabled(), verify.isMetricsEnabled());
assertEquals(config.metricsAdapter(), verify.metricsAdapter());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
import org.junit.jupiter.api.extension.RegisterExtension;
import org.neo4j.driver.AuthToken;
import org.neo4j.driver.AuthTokens;
import org.neo4j.driver.RevocationStrategy;
import org.neo4j.driver.RevocationCheckingStrategy;
import org.neo4j.driver.exceptions.AuthenticationException;
import org.neo4j.driver.exceptions.ServiceUnavailableException;
import org.neo4j.driver.internal.BoltServerAddress;
Expand Down Expand Up @@ -222,6 +222,6 @@ private ChannelConnectorImpl newConnector(
}

private static SecurityPlan trustAllCertificates() throws GeneralSecurityException {
return SecurityPlanImpl.forAllCertificates(false, RevocationStrategy.NO_CHECKS);
return SecurityPlanImpl.forAllCertificates(false, RevocationCheckingStrategy.NO_CHECKS);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.neo4j.driver.RevocationStrategy.NO_CHECKS;
import static org.neo4j.driver.RevocationStrategy.STRICT;
import static org.neo4j.driver.RevocationStrategy.VERIFY_IF_PRESENT;
import static org.neo4j.driver.RevocationCheckingStrategy.NO_CHECKS;
import static org.neo4j.driver.RevocationCheckingStrategy.STRICT;
import static org.neo4j.driver.RevocationCheckingStrategy.VERIFY_IF_PRESENT;

import java.io.File;
import java.io.IOException;
Expand Down Expand Up @@ -77,7 +77,7 @@ void testSystemCertCompatibleConfiguration(String scheme) throws Exception {

assertTrue(securityPlan.requiresEncryption());
assertTrue(securityPlan.requiresHostnameVerification());
assertEquals(NO_CHECKS, securityPlan.revocationStrategy());
assertEquals(NO_CHECKS, securityPlan.revocationCheckingStrategy());
}

@ParameterizedTest
Expand Down Expand Up @@ -178,7 +178,7 @@ void testConfigureStrictRevocationChecking(String scheme) {

SecurityPlan securityPlan = securitySettings.createSecurityPlan(scheme);

assertEquals(STRICT, securityPlan.revocationStrategy());
assertEquals(STRICT, securityPlan.revocationCheckingStrategy());
}

@ParameterizedTest
Expand All @@ -192,7 +192,7 @@ void testConfigureVerifyIfPresentRevocationChecking(String scheme) {

SecurityPlan securityPlan = securitySettings.createSecurityPlan(scheme);

assertEquals(VERIFY_IF_PRESENT, securityPlan.revocationStrategy());
assertEquals(VERIFY_IF_PRESENT, securityPlan.revocationCheckingStrategy());
}

@ParameterizedTest
Expand All @@ -205,7 +205,7 @@ void testRevocationCheckingDisabledByDefault(String scheme) {

SecurityPlan securityPlan = securitySettings.createSecurityPlan(scheme);

assertEquals(NO_CHECKS, securityPlan.revocationStrategy());
assertEquals(NO_CHECKS, securityPlan.revocationCheckingStrategy());
}

@Nested
Expand Down
Loading

0 comments on commit d0263ba

Please sign in to comment.