[NO ISSUE][HYR][NET] Extend SSL engine API to indicate client use
Ext-ref: MB-52099
Change-Id: Id46266849ded6d0ea632293e829aed78396e0ea1
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/18950
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Michael Blow <mblow@apache.org>
Reviewed-by: Murtadha Hubail <mhubail@apache.org>
diff --git a/hyracks-fullstack/hyracks/hyracks-api/pom.xml b/hyracks-fullstack/hyracks/hyracks-api/pom.xml
index 7a4eb58..eee03f3 100644
--- a/hyracks-fullstack/hyracks/hyracks-api/pom.xml
+++ b/hyracks-fullstack/hyracks/hyracks-api/pom.xml
@@ -105,5 +105,9 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
index 7fc0335..e581c5a 100644
--- a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
+++ b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java
@@ -24,6 +24,8 @@
import java.security.KeyStore;
import java.util.Optional;
+import io.netty.handler.ssl.ClientAuth;
+
public interface INetworkSecurityConfig extends Serializable {
/**
@@ -34,25 +36,51 @@
boolean isSslEnabled();
/**
- * Gets the key store to be used for secured connections
- *
- * @return the key store to be used
+ * Indicates how to handle client authentication when ssl is enabled
*/
- KeyStore getKeyStore();
+ ClientAuth getClientAuth();
/**
- * Gets a key store file to be used if {@link INetworkSecurityConfig#getKeyStore()} returns null.
+ * Gets the key store to be used for secured connections
+ *
+ * @return the key store to be used, if present
+ */
+ Optional<KeyStore> getKeyStore();
+
+ /**
+ * Gets a key store file, password pair to be used if {@link INetworkSecurityConfig#getKeyStore()} returns empty.
*
* @return the key store file
*/
File getKeyStoreFile();
/**
- * Gets the password for the key store file.
+ * Gets a password to be used to unlock or check integrity of the key store.
*
- * @return the password to the key store file
+ * @return the key store password, or {@link Optional#empty()}
*/
- String getKeyStorePassword();
+ Optional<char[]> getKeyStorePassword();
+
+ /**
+ * Gets the client key store to be used for client auth, if applicable.
+ *
+ * @return the client key store to be used for client auth, or {@link Optional#empty()}
+ */
+ Optional<KeyStore> getClientKeyStore();
+
+ /**
+ * Gets a client key store file to be used if {@link INetworkSecurityConfig#getClientKeyStore()} returns empty.
+ *
+ * @return the key store file
+ */
+ File getClientKeyStoreFile();
+
+ /**
+ * Gets a password to be used to unlock or check integrity of the client key store.
+ *
+ * @return the client key store password, or {@link Optional#empty()}
+ */
+ Optional<char[]> getClientKeyStorePassword();
/**
* Gets the trust store to be used for validating certificates of secured connections
diff --git a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityManager.java b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityManager.java
index eb52436..8462f91 100644
--- a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityManager.java
+++ b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityManager.java
@@ -28,14 +28,14 @@
*
* @return a new ssl context
*/
- SSLContext newSSLContext();
+ SSLContext newSSLContext(boolean clientMode);
/**
* Creates a new ssl engine based on the current configuration of this {@link INetworkSecurityManager}
*
* @return a new ssl engine
*/
- SSLEngine newSSLEngine();
+ SSLEngine newSSLEngine(boolean clientMode);
/**
* Sets the configuration to be used for this {@link INetworkSecurityManager}