Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7064

Add Custom TLS Hostname Validation to InvokeHTTP

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      HandleHTTPRequest processor as server, supports 2Way SSL( ie client authentication). InvokeHTTP processor as client, unfortunately not. I would like provide my patch for InvokeHTTP processor.See attach.

      Here some comments for code.

      I added Client.Auth methods

      I added hostname validator.

      Due to original code base and chosen HTTP client, I changed OkHttpClient reference to OkHttpClient.Builder for host validation handler. I have not way to support EL in properties and pass them to handler from setupto trigger via context.

      AtomicReference<OkHttpClient.Builder> okHttpClientBuilderAtomicReferenc

      Most hard and long operations done before trigger, while scheduler starts, building client is relatively lightweight.

      Some comments about host validator, reasons to do this.

      My case is build RESTful services with 2-way SSL authentication by IP. Remote client can be a servers at same time as a clients, like mutual communication, but no domains, only IPs in green field. More over, clients can change dynamically their IP due to selected channel, LAN or Cellular, here is not way to provide SAN to certificate at configuration. Now you can provide dynamically via EL/param IP addresses to check hostname for client authentication.

       

      PS. It's not clear code, why processor build SSLContext in SSL Context Controlller, but not use it anyhow? This is strange and unclear, possibly, here we can reduce the code.

      PPS. It not clear, how to build tests for this case.

       

       

      Sincerely,

      Dmitry.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            dreadolph Dmitry Mashkov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment