Merge pull request #6265 from michael-simons/feature/make_neo4j_encryption_configurable

gsmet · web-flow · commit f80bb060c1af · 2020-07-29T12:40:11.000+02:00
Make Neo4j transport encryption configurable
diff --git a/extensions/neo4j/runtime/pom.xml b/extensions/neo4j/runtime/pom.xml
@@ -26,15 +26,17 @@
             <artifactId>quarkus-smallrye-health</artifactId>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>org.graalvm.nativeimage</groupId>
-            <artifactId>svm</artifactId>
-        </dependency>
 
         <dependency>
             <groupId>org.neo4j.driver</groupId>
             <artifactId>neo4j-java-driver</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5-internal</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/extensions/neo4j/runtime/src/main/java/io/quarkus/neo4j/runtime/Neo4jConfiguration.java b/extensions/neo4j/runtime/src/main/java/io/quarkus/neo4j/runtime/Neo4jConfiguration.java
@@ -1,6 +1,11 @@
 package io.quarkus.neo4j.runtime;
 
+import java.io.File;
+import java.nio.file.Path;
 import java.time.Duration;
+import java.util.Optional;
+
+import org.neo4j.driver.Config;
 
 import io.quarkus.runtime.annotations.ConfigDocSection;
 import io.quarkus.runtime.annotations.ConfigGroup;
@@ -28,6 +33,19 @@ public class Neo4jConfiguration {
     @ConfigDocSection
     public Authentication authentication;
 
+    /**
+     * If the driver should use encrypted traffic.
+     */
+    @ConfigItem
+    public boolean encrypted;
+
+    /**
+     * Configure trust settings for encrypted traffic.
+     */
+    @ConfigItem
+    @ConfigDocSection
+    public TrustSettings trustSettings;
+
     /**
      * Connection pool.
      */
@@ -54,7 +72,67 @@ static class Authentication {
          * Set this to true to disable authentication.
          */
         @ConfigItem
-        public boolean disabled = false;
+        public boolean disabled;
+    }
+
+    @ConfigGroup
+    static class TrustSettings {
+
+        public enum Strategy {
+
+            TRUST_ALL_CERTIFICATES,
+
+            TRUST_CUSTOM_CA_SIGNED_CERTIFICATES,
+
+            TRUST_SYSTEM_CA_SIGNED_CERTIFICATES
+        }
+
+        /**
+         * Configures which trust strategy to apply when using encrypted traffic.
+         */
+        @ConfigItem(defaultValue = "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES")
+        public Strategy strategy;
+
+        /**
+         * The file of the certificate to use.
+         */
+        @ConfigItem
+        public Optional<Path> certFile = Optional.empty();
+
+        /**
+         * If hostname verification is used.
+         */
+        @ConfigItem
+        public boolean hostnameVerificationEnabled;
+
+        Config.TrustStrategy toInternalRepresentation() {
+
+            Config.TrustStrategy internalRepresentation;
+            Strategy nonNullStrategy = strategy == null ? Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES : strategy;
+            switch (nonNullStrategy) {
+                case TRUST_ALL_CERTIFICATES:
+                    internalRepresentation = Config.TrustStrategy.trustAllCertificates();
+                    break;
+                case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
+                    internalRepresentation = Config.TrustStrategy.trustSystemCertificates();
+                    break;
+                case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
+
+                    File certFile = this.certFile.map(Path::toFile).filter(File::isFile)
+                            .orElseThrow(() -> new RuntimeException("Configured trust strategy requires a certificate file."));
+                    internalRepresentation = Config.TrustStrategy.trustCustomCertificateSignedBy(certFile);
+                    break;
+                default:
+                    throw new RuntimeException("Unknown trust strategy: " + this.strategy.name());
+            }
+
+            if (hostnameVerificationEnabled) {
+                internalRepresentation.withHostnameVerification();
+            } else {
+                internalRepresentation.withoutHostnameVerification();
+            }
+            return internalRepresentation;
+        }
     }
 
     @ConfigGroup
diff --git a/extensions/neo4j/runtime/src/main/java/io/quarkus/neo4j/runtime/Neo4jDriverRecorder.java b/extensions/neo4j/runtime/src/main/java/io/quarkus/neo4j/runtime/Neo4jDriverRecorder.java
@@ -42,7 +42,7 @@ private Driver initializeDriver(Neo4jConfiguration configuration,
         }
 
         Config.ConfigBuilder configBuilder = createBaseConfig();
-        configureSsl(configBuilder);
+        configureSsl(configBuilder, configuration);
         configurePoolSettings(configBuilder, configuration.pool);
 
         Driver driver = GraphDatabase.driver(uri, authToken, configBuilder.build());
@@ -62,13 +62,21 @@ private static Config.ConfigBuilder createBaseConfig() {
         return configBuilder;
     }
 
-    private static void configureSsl(Config.ConfigBuilder configBuilder) {
+    private static void configureSsl(Config.ConfigBuilder configBuilder,
+            Neo4jConfiguration configuration) {
 
         // Disable encryption regardless of user configuration when ssl is not natively enabled.
         if (ImageInfo.inImageRuntimeCode() && !SslContextConfiguration.isSslNativeEnabled()) {
             log.warn(
-                    "Native SSL is disabled, communication between this client and the Neo4j server won't be encrypted.");
+                    "Native SSL is disabled, communication between this client and the Neo4j server cannot be encrypted.");
             configBuilder.withoutEncryption();
+        } else {
+            if (configuration.encrypted) {
+                configBuilder.withEncryption();
+                configBuilder.withTrustStrategy(configuration.trustSettings.toInternalRepresentation());
+            } else {
+                configBuilder.withoutEncryption();
+            }
         }
     }
 
diff --git a/extensions/neo4j/runtime/src/test/java/io/quarkus/neo4j/runtime/Neo4jConfigurationTest.java b/extensions/neo4j/runtime/src/test/java/io/quarkus/neo4j/runtime/Neo4jConfigurationTest.java
@@ -0,0 +1,90 @@
+package io.quarkus.neo4j.runtime;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Optional;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.neo4j.driver.Config;
+
+import io.quarkus.neo4j.runtime.Neo4jConfiguration.TrustSettings;
+
+class Neo4jConfigurationTest {
+
+    @Nested
+    class TrustSettingsTest {
+
+        @Test
+        void defaultsShouldWork() {
+
+            TrustSettings trustSettings = new TrustSettings();
+
+            Config.TrustStrategy internalRepresentation = trustSettings.toInternalRepresentation();
+            assertFalse(internalRepresentation.isHostnameVerificationEnabled());
+            assertEquals(Config.TrustStrategy.Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
+                    internalRepresentation.strategy());
+        }
+
+        @Test
+        void trustAllSettingShouldWork() {
+
+            TrustSettings trustSettings = new TrustSettings();
+            trustSettings.strategy = TrustSettings.Strategy.TRUST_ALL_CERTIFICATES;
+
+            Config.TrustStrategy internalRepresentation = trustSettings.toInternalRepresentation();
+            assertEquals(Config.TrustStrategy.Strategy.TRUST_ALL_CERTIFICATES, internalRepresentation.strategy());
+        }
+
+        @Test
+        void hostnameVerificationSettingShouldWork() {
+
+            TrustSettings trustSettings = new TrustSettings();
+            trustSettings.hostnameVerificationEnabled = true;
+
+            Config.TrustStrategy internalRepresentation = trustSettings.toInternalRepresentation();
+            assertTrue(internalRepresentation.isHostnameVerificationEnabled());
+        }
+
+        @Test
+        void customCaShouldRequireCertFile() {
+
+            TrustSettings trustSettings = new TrustSettings();
+            trustSettings.strategy = TrustSettings.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES;
+
+            String msg = assertThrows(RuntimeException.class, () -> trustSettings.toInternalRepresentation())
+                    .getMessage();
+            assertEquals("Configured trust strategy requires a certificate file.", msg);
+        }
+
+        @Test
+        void customCaShouldRequireExistingCertFile() {
+
+            TrustSettings trustSettings = new TrustSettings();
+            trustSettings.strategy = TrustSettings.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES;
+            trustSettings.certFile = Optional.of(Paths.get("na"));
+
+            String msg = assertThrows(RuntimeException.class, () -> trustSettings.toInternalRepresentation())
+                    .getMessage();
+            assertEquals("Configured trust strategy requires a certificate file.", msg);
+        }
+
+        @Test
+        void trustCustomCaSettingShouldWork() throws IOException {
+
+            TrustSettings trustSettings = new TrustSettings();
+            trustSettings.strategy = TrustSettings.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES;
+            trustSettings.certFile = Optional.of(Files.createTempFile("quarkus-neo4j-test", ".cert"));
+
+            Config.TrustStrategy internalRepresentation = trustSettings.toInternalRepresentation();
+            assertEquals(Config.TrustStrategy.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES,
+                    internalRepresentation.strategy());
+        }
+    }
+}
