mirror of
https://github.com/google/nomulus.git
synced 2025-04-30 03:57:51 +02:00
6f4b059cc9
This led to confusion for an open source contributor about how to format code. We don't want to be like, "do as I say, not as I do." https://google.github.io/styleguide/javaguide.html#s7.1.2-javadoc-paragraphs ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=122589700
72 lines
3.3 KiB
Java
72 lines
3.3 KiB
Java
// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.flows;
|
|
|
|
import static com.google.common.io.ByteStreams.toByteArray;
|
|
import static google.registry.flows.EppServletUtils.handleEppCommandAndWriteResponse;
|
|
|
|
import google.registry.util.FormattingLogger;
|
|
|
|
import java.io.IOException;
|
|
|
|
import javax.servlet.http.HttpServlet;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
/**
|
|
* The {@link EppTlsServlet} class establishes a transport for EPP+TLS over* HTTP. All commands and
|
|
* responses are EPP XML according to RFC 5730. Commands must must requested via POST.
|
|
*
|
|
* <p>There are a number of expected headers to this endpoint:
|
|
* <dl>
|
|
* <dt>{@value #SSL_CLIENT_CERTIFICATE_HASH_FIELD}
|
|
* <dd>
|
|
* This field should contain a base64 encoded digest of the client's TLS certificate. It is
|
|
* validated during an EPP login command against a known good value that is transmitted out of
|
|
* band.
|
|
* <dt>{@value #FORWARDED_FOR_FIELD}
|
|
* <dd>
|
|
* This field should contain the host and port of the connecting client. It is validated during
|
|
* an EPP login command against an IP whitelist that is transmitted out of band.
|
|
* <dt>{@value #REQUESTED_SERVERNAME_VIA_SNI_FIELD}
|
|
* <dd>
|
|
* This field should contain the servername that the client requested during the TLS handshake.
|
|
* It is unused, but expected to be present in the GFE-proxied configuration.
|
|
* </dl>
|
|
*/
|
|
public class EppTlsServlet extends HttpServlet {
|
|
|
|
private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
|
|
|
|
static final String REQUESTED_SERVERNAME_VIA_SNI_FIELD = "X-GFE-Requested-Servername-SNI";
|
|
static final String FORWARDED_FOR_FIELD = "X-Forwarded-For";
|
|
static final String SSL_CLIENT_CERTIFICATE_HASH_FIELD = "X-GFE-SSL-Certificate";
|
|
|
|
@Override
|
|
public void doPost(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
|
|
// Check that SNI header is present. This is a signal that we're receiving traffic proxied by a
|
|
// GFE, which is the expectation of this servlet. The value is unused.
|
|
TlsCredentials tlsCredentials = new TlsCredentials(req);
|
|
if (!tlsCredentials.hasSni()) {
|
|
logger.warning("Request did not include required SNI header.");
|
|
}
|
|
SessionMetadata sessionMetadata = new HttpSessionMetadata(tlsCredentials, req.getSession(true));
|
|
// Note that we are using the raw input stream rather than the reader, which implies that we are
|
|
// ignoring the HTTP-specified charset (if any) in favor of whatever charset the XML declares.
|
|
// This is ok because this code is only called from the proxy, which can't specify a charset
|
|
// (it blindly copies bytes off a socket).
|
|
handleEppCommandAndWriteResponse(toByteArray(req.getInputStream()), rsp, sessionMetadata);
|
|
}
|
|
}
|