diff --git a/zuul-core/build.gradle b/zuul-core/build.gradle index a7c330c8b1..7eb871fc73 100644 --- a/zuul-core/build.gradle +++ b/zuul-core/build.gradle @@ -11,9 +11,9 @@ dependencies { // TODO(carl-mastrangelo): this can be implementation; remove Logger from public api points. api libraries.slf4j - implementation 'org.bouncycastle:bcprov-jdk18on:1.83' - implementation 'org.bouncycastle:bcpkix-jdk18on:1.83' - implementation 'org.bouncycastle:bctls-jdk18on:1.83' + implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1' + implementation 'org.bouncycastle:bcpkix-jdk18on:1.78.1' + implementation 'org.bouncycastle:bctls-jdk18on:1.78.1' implementation 'com.fasterxml.jackson.core:jackson-core:2.19.2' api 'com.fasterxml.jackson.core:jackson-databind:2.19.2' diff --git a/zuul-core/dependencies.lock b/zuul-core/dependencies.lock index 4ecc780ad5..f3a8c947f3 100644 --- a/zuul-core/dependencies.lock +++ b/zuul-core/dependencies.lock @@ -96,13 +96,13 @@ "locked": "2.0.1" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" @@ -224,13 +224,13 @@ "locked": "2.0.1" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" @@ -367,13 +367,13 @@ "locked": "4.2.2" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" @@ -522,13 +522,13 @@ "locked": "2.0.1" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" @@ -643,13 +643,13 @@ "locked": "4.2.2" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" @@ -795,13 +795,13 @@ "locked": "4.2.2" }, "org.bouncycastle:bcpkix-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "locked": "1.0.0" diff --git a/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/TlsPskHandlerTest.java b/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/TlsPskHandlerTest.java deleted file mode 100644 index 06191f12e3..0000000000 --- a/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/TlsPskHandlerTest.java +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright 2024 Netflix, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.netflix.zuul.netty.server.psk; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.Mockito.mock; - -import com.netflix.spectator.api.DefaultRegistry; -import io.netty.channel.ChannelPipeline; -import io.netty.channel.embedded.EmbeddedChannel; -import java.util.Set; -import org.bouncycastle.tls.CipherSuite; -import org.bouncycastle.tls.ProtocolName; -import org.junit.jupiter.api.Test; - -class TlsPskHandlerTest { - - @Test - void cipherSuiteMapContainsAes128Gcm() { - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP) - .containsKey(CipherSuite.TLS_AES_128_GCM_SHA256); - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP.get(CipherSuite.TLS_AES_128_GCM_SHA256)) - .isEqualTo("TLS_AES_128_GCM_SHA256"); - } - - @Test - void cipherSuiteMapContainsAes256Gcm() { - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP) - .containsKey(CipherSuite.TLS_AES_256_GCM_SHA384); - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP.get(CipherSuite.TLS_AES_256_GCM_SHA384)) - .isEqualTo("TLS_AES_256_GCM_SHA384"); - } - - @Test - void cipherSuiteMapHasExactlyTwoEntries() { - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP).hasSize(2); - } - - @Test - void handlerAddedInsertsTlsPskDecoder() { - ExternalTlsPskProvider pskProvider = mock(ExternalTlsPskProvider.class); - TlsPskHandler handler = new TlsPskHandler( - new DefaultRegistry(), - pskProvider, - Set.of(ProtocolName.HTTP_2_TLS)); - - EmbeddedChannel channel = new EmbeddedChannel(handler); - ChannelPipeline pipeline = channel.pipeline(); - - assertThat(pipeline.get("tls_psk_handler")).isNotNull(); - assertThat(pipeline.get("tls_psk_handler")).isInstanceOf(TlsPskDecoder.class); - channel.close(); - } - - @Test - void applicationProtocolNullBeforeHandshake() { - ExternalTlsPskProvider pskProvider = mock(ExternalTlsPskProvider.class); - TlsPskHandler handler = new TlsPskHandler( - new DefaultRegistry(), - pskProvider, - Set.of(ProtocolName.HTTP_2_TLS)); - - assertThat(handler.getApplicationProtocol()).isNull(); - } - - @Test - void sessionAvailableBeforeHandshake() { - ExternalTlsPskProvider pskProvider = mock(ExternalTlsPskProvider.class); - TlsPskHandler handler = new TlsPskHandler( - new DefaultRegistry(), - pskProvider, - Set.of(ProtocolName.HTTP_1_1)); - - assertThat(handler.getSession()).isNotNull(); - } -} diff --git a/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/ZuulPskServerTest.java b/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/ZuulPskServerTest.java deleted file mode 100644 index f381c1b01d..0000000000 --- a/zuul-core/src/test/java/com/netflix/zuul/netty/server/psk/ZuulPskServerTest.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright 2024 Netflix, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.netflix.zuul.netty.server.psk; - -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import com.netflix.spectator.api.DefaultRegistry; -import com.netflix.spectator.api.Registry; -import io.netty.channel.Channel; -import io.netty.channel.ChannelHandlerContext; -import io.netty.util.DefaultAttributeMap; -import java.security.SecureRandom; -import java.util.Set; -import java.util.Vector; -import org.bouncycastle.tls.CipherSuite; -import org.bouncycastle.tls.ProtocolName; -import org.bouncycastle.tls.ProtocolVersion; -import org.bouncycastle.tls.crypto.TlsCrypto; -import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -class ZuulPskServerTest { - - private Registry registry; - private ChannelHandlerContext ctx; - private ExternalTlsPskProvider pskProvider; - private ZuulPskServer server; - private TlsCrypto crypto; - - @BeforeEach - void setUp() { - registry = new DefaultRegistry(); - ctx = mock(ChannelHandlerContext.class); - Channel channel = mock(Channel.class); - when(ctx.channel()).thenReturn(channel); - when(channel.attr(ZuulPskServer.TLS_HANDSHAKE_USING_EXTERNAL_PSK)) - .thenReturn(new DefaultAttributeMap().attr(ZuulPskServer.TLS_HANDSHAKE_USING_EXTERNAL_PSK)); - pskProvider = mock(ExternalTlsPskProvider.class); - crypto = new JcaTlsCryptoProvider().create(new SecureRandom()); - server = new ZuulPskServer( - crypto, registry, pskProvider, ctx, Set.of(ProtocolName.HTTP_2_TLS, ProtocolName.HTTP_1_1)); - } - - @Test - void credentialsAreNullForPskMode() { - assertThat(server.getCredentials()).isNull(); - } - - @Test - void supportedVersionsAreTls13Only() { - ProtocolVersion[] versions = server.getSupportedVersions(); - - assertThat(versions).containsExactly(ProtocolVersion.TLSv13); - } - - @Test - void supportedCipherSuitesMatchHandlerMap() { - int[] suites = server.getSupportedCipherSuites(); - - assertThat(suites).isNotEmpty(); - for (int suite : suites) { - assertThat(TlsPskHandler.SUPPORTED_TLS_PSK_CIPHER_SUITE_MAP).containsKey(suite); - } - } - - @Test - @SuppressWarnings("unchecked") - void protocolNamesContainConfiguredProtocols() { - Vector names = server.getProtocolNames(); - - assertThat(names).hasSize(2); - assertThat(names).contains(ProtocolName.HTTP_2_TLS, ProtocolName.HTTP_1_1); - } - - @Test - @SuppressWarnings("unchecked") - void protocolNamesEmptyWhenNullConfigured() { - ZuulPskServer serverNoProtocols = new ZuulPskServer(crypto, registry, pskProvider, ctx, null); - - Vector names = serverNoProtocols.getProtocolNames(); - - assertThat(names).isEmpty(); - } - - @Test - void cipherSuiteConstantsHaveExpectedValues() { - assertThat(CipherSuite.TLS_AES_128_GCM_SHA256).isEqualTo(0x1301); - assertThat(CipherSuite.TLS_AES_256_GCM_SHA384).isEqualTo(0x1302); - assertThat(CipherSuite.TLS_CHACHA20_POLY1305_SHA256).isEqualTo(0x1303); - } - - @Test - void tlsCryptoProviderCreatesValidCrypto() { - assertThat(crypto).isNotNull(); - assertThat(crypto.hasRSAEncryption()).isTrue(); - } -} diff --git a/zuul-integration-test/dependencies.lock b/zuul-integration-test/dependencies.lock index 07bd3df3d9..bb88c27d25 100644 --- a/zuul-integration-test/dependencies.lock +++ b/zuul-integration-test/dependencies.lock @@ -192,19 +192,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -746,19 +746,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -984,19 +984,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -1415,19 +1415,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ diff --git a/zuul-processor/dependencies.lock b/zuul-processor/dependencies.lock index b30ae99fcf..24bc09ed7e 100644 --- a/zuul-processor/dependencies.lock +++ b/zuul-processor/dependencies.lock @@ -485,19 +485,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -711,19 +711,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -932,19 +932,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -1292,19 +1292,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ diff --git a/zuul-sample/dependencies.lock b/zuul-sample/dependencies.lock index 00672efec6..83d49dec36 100644 --- a/zuul-sample/dependencies.lock +++ b/zuul-sample/dependencies.lock @@ -192,19 +192,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -731,19 +731,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -960,19 +960,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [ @@ -1337,19 +1337,19 @@ "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bcprov-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.bouncycastle:bctls-jdk18on": { "firstLevelTransitive": [ "com.netflix.zuul:zuul-core" ], - "locked": "1.83" + "locked": "1.78.1" }, "org.jspecify:jspecify": { "firstLevelTransitive": [