tls_available support

Author: scottf

src/main/java/io/nats/client/Options.java

@@ -38,6 +38,7 @@
 import java.util.concurrent.*;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import static io.nats.client.support.ApiConstants.TLS_REQUIRED;
 import static io.nats.client.support.Encoding.uriDecode;
 import static io.nats.client.support.NatsConstants.*;
 import static io.nats.client.support.SSLUtils.DEFAULT_TLS_ALGORITHM;
@@ -492,7 +493,7 @@ public class Options {
      * Protocol key {@value}, see
      * {@link Builder#sslContext(SSLContext) sslContext}.
      */
-    static final String OPTION_TLS_REQUIRED = "tls_required";
+    static final String OPTION_TLS_REQUIRED = TLS_REQUIRED;
 
     /**
      * Protocol key {@value}, see {@link Builder#token(String)
@@ -1710,6 +1711,10 @@ else if (useDefaultTls) {
                 }
             }
 
+            if (tlsFirst && sslContext == null) {
+                throw new IllegalStateException("SSL context required for tls handshake first");
+            }
+
             if (credentialPath != null) {
                 File file = new File(credentialPath).getAbsoluteFile();
                 authHandler = Nats.credentials(file.toString());
@@ -2101,10 +2106,10 @@ public int getMaxControlLine() {
 
     /**
      *
-     * @return true if there is an sslContext for this Options, otherwise false, see {@link Builder#secure() secure()} in the builder doc
+     * @return true if there is an sslContext for these Options, otherwise false, see {@link Builder#secure() secure()} in the builder doc
      */
     public boolean isTLSRequired() {
-        return tlsFirst || this.sslContext != null;
+        return sslContext != null;
     }
 
     /**

src/main/java/io/nats/client/api/ServerInfo.java

@@ -35,6 +35,7 @@ public class ServerInfo {
     private final boolean headersSupported;
     private final boolean authRequired;
     private final boolean tlsRequired;
+    private final boolean tlsAvailable;
     private final long maxPayload;
     private final List<String> connectURLs;
     private final int protocolVersion;
@@ -67,7 +68,8 @@ public ServerInfo(String json) {
         headersSupported = readBoolean(jv, HEADERS);
         authRequired = readBoolean(jv, AUTH_REQUIRED);
         nonce = readBytes(jv, NONCE);
-        tlsRequired = readBoolean(jv, TLS);
+        tlsRequired = readBoolean(jv, TLS_REQUIRED);
+        tlsAvailable = readBoolean(jv, TLS_AVAILABLE);
         lameDuckMode = readBoolean(jv, LAME_DUCK_MODE);
         jetStream = readBoolean(jv, JETSTREAM);
         port = readInteger(jv, PORT, 0);
@@ -84,57 +86,61 @@ public boolean isLameDuckMode() {
     }
 
     public String getServerId() {
-        return this.serverId;
+        return serverId;
     }
 
     public String getServerName() {
         return serverName;
     }
 
     public String getVersion() {
-        return this.version;
+        return version;
     }
 
     public String getGoVersion() {
-        return this.go;
+        return go;
     }
 
     public String getHost() {
-        return this.host;
+        return host;
     }
 
     public int getPort() {
-        return this.port;
+        return port;
     }
 
     public int getProtocolVersion() {
-        return this.protocolVersion;
+        return protocolVersion;
     }
 
-    public boolean isHeadersSupported() { return this.headersSupported; }
+    public boolean isHeadersSupported() { return headersSupported; }
 
     public boolean isAuthRequired() {
-        return this.authRequired;
+        return authRequired;
     }
 
     public boolean isTLSRequired() {
-        return this.tlsRequired;
+        return tlsRequired;
+    }
+
+    public boolean isTLSAvailable() {
+        return tlsAvailable;
     }
 
     public long getMaxPayload() {
-        return this.maxPayload;
+        return maxPayload;
     }
 
     public List<String> getConnectURLs() {
-        return this.connectURLs;
+        return connectURLs;
     }
 
     public byte[] getNonce() {
-        return this.nonce;
+        return nonce;
     }
 
     public boolean isJetStreamAvailable() {
-        return this.jetStream;
+        return jetStream;
     }
 
     public int getClientId() {
@@ -172,24 +178,25 @@ public boolean isSameOrNewerThanVersion(String vTarget) {
     @Override
     public String toString() {
         return "ServerInfo{" +
-                "serverId='" + serverId + '\'' +
-                ", serverName='" + serverName + '\'' +
-                ", version='" + version + '\'' +
-                ", go='" + go + '\'' +
-                ", host='" + host + '\'' +
-                ", port=" + port +
-                ", headersSupported=" + headersSupported +
-                ", authRequired=" + authRequired +
-                ", tlsRequired=" + tlsRequired +
-                ", maxPayload=" + maxPayload +
-                ", connectURLs=" + connectURLs +
-                ", protocolVersion=" + protocolVersion +
-                ", nonce=" + Arrays.toString(nonce) +
-                ", lameDuckMode=" + lameDuckMode +
-                ", jetStream=" + jetStream +
-                ", clientId=" + clientId +
-                ", clientIp='" + clientIp + '\'' +
-                ", cluster='" + cluster + '\'' +
-                '}';
+            "serverId='" + serverId + '\'' +
+            ", serverName='" + serverName + '\'' +
+            ", version='" + version + '\'' +
+            ", go='" + go + '\'' +
+            ", host='" + host + '\'' +
+            ", port=" + port +
+            ", headersSupported=" + headersSupported +
+            ", authRequired=" + authRequired +
+            ", tlsRequired=" + tlsRequired +
+            ", tlsAvailable=" + tlsAvailable +
+            ", maxPayload=" + maxPayload +
+            ", connectURLs=" + connectURLs +
+            ", protocolVersion=" + protocolVersion +
+            ", nonce=" + Arrays.toString(nonce) +
+            ", lameDuckMode=" + lameDuckMode +
+            ", jetStream=" + jetStream +
+            ", clientId=" + clientId +
+            ", clientIp='" + clientIp + '\'' +
+            ", cluster='" + cluster + '\'' +
+            '}';
     }
 }

src/main/java/io/nats/client/impl/NatsConnection.java

@@ -577,40 +577,29 @@ public void run() {
     void checkVersionRequirements() throws IOException {
         Options opts = getOptions();
         ServerInfo info = getInfo();
-
         if (opts.isNoEcho() && info.getProtocolVersion() < 1) {
             throw new IOException("Server does not support no echo.");
         }
     }
 
     void upgradeToSecureIfNeeded(NatsUri nuri) throws IOException {
-        Options clientOptions = getOptions();
-        if (clientOptions.isTlsFirst()) {
-            this.dataPort.upgradeToSecure();
+        if (options.isTlsFirst()) {
+            dataPort.upgradeToSecure();
         }
         else {
             ServerInfo serverInfo = getInfo();
-            boolean before2_9_19 = serverInfo.isOlderThanVersion("2.9.19");
-
-            boolean isTLSRequired = clientOptions.isTLSRequired();
-            boolean upgradeRequired = isTLSRequired;
-            if (isTLSRequired && nuri.isWebsocket()) {
-                // We are already communicating over "https" websocket, so
-                // do NOT try to upgrade to secure.
-                if (before2_9_19) {
-                    isTLSRequired = false;
+            if (options.isTLSRequired()) {
+                if (!nuri.isWebsocket()) {
+                    // When already communicating over "https" websocket, do NOT try to upgrade to secure.
+                    if (!serverInfo.isTLSRequired() && !serverInfo.isTLSAvailable()) {
+                        throw new IOException("SSL connection wanted by client.");
+                    }
+                    dataPort.upgradeToSecure();
                 }
-                upgradeRequired = false;
             }
-            if (isTLSRequired && !serverInfo.isTLSRequired()) {
-                throw new IOException("SSL connection wanted by client.");
-            }
-            else if (!isTLSRequired && serverInfo.isTLSRequired()) {
+            else if (serverInfo.isTLSRequired()) {
                 throw new IOException("SSL required by server.");
             }
-            if (upgradeRequired) {
-                this.dataPort.upgradeToSecure();
-            }
         }
     }
 

src/main/java/io/nats/client/support/ApiConstants.java

@@ -195,6 +195,8 @@ public interface ApiConstants {
     String TIME              = "time";
     String TIMESTAMP         = "ts";
     String TLS               = "tls_required";
+    String TLS_REQUIRED      = TLS;
+    String TLS_AVAILABLE     = "tls_available";
     String TOTAL             = "total";
     String TYPE              = "type";
     String VERSION           = "version";

src/test/java/io/nats/client/api/ServerInfoTests.java

@@ -40,6 +40,7 @@ public void testValidInfoString() {
         assertEquals(7777, info.getPort());
         assertTrue(info.isAuthRequired());
         assertTrue(info.isTLSRequired());
+        assertTrue(info.isTLSAvailable());
         assertTrue(info.isHeadersSupported());
         assertEquals(100_000_000_000L, info.getMaxPayload());
         assertEquals(1, info.getProtocolVersion());

src/test/java/io/nats/client/impl/TLSConnectTests.java

@@ -397,4 +397,96 @@ public void testSSLContextFactoryPropertiesPassOnCorrectly() throws NoSuchAlgori
         assertEquals("tlsAlgorithm", factory.properties.tlsAlgorithm);
         assertEquals("tlsAlgorithm", factory.properties.getTlsAlgorithm());
     }
+
+    private static final int SERVER_INSECURE = 1;
+    private static final int SERVER_TLS_AVAILABLE = 2;
+    private static final int SERVER_TLS_REQUIRED = 3;
+    static class ProxyConnection extends NatsConnection {
+        int serverType;
+
+        public ProxyConnection(String servers, boolean tlsFirst, ErrorListener listener, int serverType) throws Exception {
+            super(makeMiddleman(servers, tlsFirst, listener));
+            this.serverType = serverType;
+        }
+
+        private static Options makeMiddleman(String servers, boolean tlsFirst, ErrorListener listener) throws Exception {
+            Options.Builder builder = new Options.Builder()
+                .server(servers)
+                .maxReconnects(0)
+                .sslContext(SslTestingHelper.createTestSSLContext())
+                .errorListener(listener);
+
+            if (tlsFirst) {
+                builder.tlsFirst();
+            }
+
+            return builder.build();
+        }
+
+        @Override
+        void handleInfo(String infoJson) {
+            switch (serverType) {
+                case SERVER_INSECURE:
+                    super.handleInfo(infoJson.replace(",\"tls_required\":true", "")); break;
+                case SERVER_TLS_AVAILABLE:
+                    super.handleInfo(infoJson.replace("\"tls_required\":true", "\"tls_available\":true")); break;
+                default:
+                    super.handleInfo(infoJson);
+            }
+        }
+    }
+
+    /*
+        1. client tls first      | secure proxy | server insecure      -> connects
+        2. client tls first      | secure proxy | server tls required  -> connects
+        3. client tls first      | secure proxy | server tls available -> connects
+        4. client regular secure | secure proxy | server insecure      -> mismatch exception
+        5. client regular secure | secure proxy | server tls required  -> connects
+        6. client regular secure | secure proxy | server tls available -> connects
+    */
+
+    @Test
+    public void testProxyTlsFirst() throws Exception {
+        if (TestBase.atLeast2_10_3(ensureRunServerInfo())) {
+            try (NatsTestServer ts = new NatsTestServer("src/test/resources/tls_first.conf", false)) {
+                // 1. client tls first | secure proxy | server insecure -> connects
+                ProxyConnection connTI = new ProxyConnection(ts.getURI(), true, null, SERVER_INSECURE);
+                connTI.connect(false);
+                closeConnection(standardConnectionWait(connTI), 1000);
+
+                // 2. client tls first | secure proxy | server tls required -> connects
+                ProxyConnection connTR = new ProxyConnection(ts.getURI(), true, null, SERVER_TLS_REQUIRED);
+                connTR.connect(false);
+                closeConnection(standardConnectionWait(connTR), 1000);
+
+                // 3. client tls first | secure proxy | server tls available -> connects
+                ProxyConnection connTA = new ProxyConnection(ts.getURI(), true, null, SERVER_TLS_AVAILABLE);
+                connTA.connect(false);
+                closeConnection(standardConnectionWait(connTA), 1000);
+            }
+        }
+    }
+
+    @SuppressWarnings({"resource"})
+    @Test
+    public void testProxyNotTlsFirst() throws Exception {
+        try (NatsTestServer ts = new NatsTestServer("src/test/resources/tls.conf", false)) {
+            // 4. client regular secure | secure proxy | server insecure -> mismatch exception
+            ListenerForTesting listener = new ListenerForTesting();
+            ProxyConnection connRI = new ProxyConnection(ts.getURI(), false, listener, SERVER_INSECURE);
+            assertThrows(Exception.class, () -> connRI.connect(false));
+            assertEquals(1, listener.getExceptions().size());
+            assertTrue(listener.getExceptions().get(0).getMessage().contains("SSL connection wanted by client"));
+
+            // 5. client regular secure | secure proxy | server tls required  -> connects
+            ProxyConnection connRR = new ProxyConnection(ts.getURI(), false, null, SERVER_TLS_REQUIRED);
+            connRR.connect(false);
+            closeConnection(standardConnectionWait(connRR), 1000);
+
+            // 6. client regular secure | secure proxy | server tls available -> connects
+            ProxyConnection connRA = new ProxyConnection(ts.getURI(), false, null, SERVER_TLS_AVAILABLE);
+            connRA.connect(false);
+            closeConnection(standardConnectionWait(connRA), 1000);
+        }
+    }
 }

src/test/resources/data/ServerInfoJson.txt

@@ -1 +1 @@
-INFO {"server_id": "serverId","server_name": "serverName","version": "1.2.3","go": "go0.0.0","host": "host","port": 7777,"headersSupported": true,"auth_required": true,"tls_required": true,"max_payload": 100000000000,"proto": 1,"ldm": true,"jetstream": true,"client_id": 42,"client_ip": "127.0.0.1","cluster": "cluster","connect_urls":["url0", "url1"],"nonce":"<encoded>","headers": true,}
+INFO {"server_id": "serverId","server_name": "serverName","version": "1.2.3","go": "go0.0.0","host": "host","port": 7777,"headersSupported": true,"auth_required": true,"tls_required": true,"tls_available": true,"max_payload": 100000000000,"proto": 1,"ldm": true,"jetstream": true,"client_id": 42,"client_ip": "127.0.0.1","cluster": "cluster","connect_urls":["url0", "url1"],"nonce":"<encoded>","headers": true,}