ZOOKEEPER-4835: Make use of Netty optional when no SSL is used

pom.xml

@@ -574,6 +574,7 @@
     <commons-io.version>2.17.0</commons-io.version>
     <burningwave.mockdns.version>0.25.4</burningwave.mockdns.version>
     <dnsjava.version>3.5.1</dnsjava.version>
+    <archunit.version>1.3.0</archunit.version>
     <clover-maven-plugin.version>4.4.1</clover-maven-plugin.version>
     <sonar-maven-plugin.version>3.7.0.1746</sonar-maven-plugin.version>
 
@@ -710,6 +711,11 @@
         <version>${mockito.version}</version>
         <scope>test</scope>
       </dependency>
+      <dependency>
+        <groupId>com.tngtech.archunit</groupId>
+        <artifactId>archunit-junit5</artifactId>
+        <version>${archunit.version}</version>
+      </dependency>
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-bom</artifactId>

zookeeper-assembly/pom.xml

@@ -115,6 +115,21 @@
       <groupId>org.xerial.snappy</groupId>
       <artifactId>snappy-java</artifactId>
     </dependency>
+    <!-- Netty is an optional dependency of zookeeper-server but should be
+         included in the server distribution for SSL/TLS support. -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-transport-native-epoll</artifactId>
+      <classifier>linux-x86_64</classifier>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

zookeeper-server/pom.xml

@@ -65,15 +65,18 @@
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-handler</artifactId>
+      <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport-native-epoll</artifactId>
       <classifier>linux-x86_64</classifier>
+      <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
@@ -180,6 +183,11 @@
       <artifactId>tools</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.tngtech.archunit</groupId>
+      <artifactId>archunit-junit5</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.xerial.snappy</groupId>
       <artifactId>snappy-java</artifactId>

zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxnSocketNetty.java

@@ -51,7 +51,7 @@
 import org.apache.zookeeper.ClientCnxn.EndOfStreamException;
 import org.apache.zookeeper.ClientCnxn.Packet;
 import org.apache.zookeeper.client.ZKClientConfig;
-import org.apache.zookeeper.common.ClientX509Util;
+import org.apache.zookeeper.common.ClientNettyX509Util;
 import org.apache.zookeeper.common.NettyUtils;
 import org.apache.zookeeper.common.X509Exception;
 import org.slf4j.Logger;
@@ -445,7 +445,7 @@ protected void initChannel(SocketChannel ch) throws Exception {
         private synchronized void initSSL(ChannelPipeline pipeline)
             throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
             if (sslContext == null) {
-                try (ClientX509Util x509Util = new ClientX509Util()) {
+                try (ClientNettyX509Util x509Util = new ClientNettyX509Util()) {
                     sslContext = x509Util.createNettySslContextForClient(clientConfig);
                 }
             }

zookeeper-server/src/main/java/org/apache/zookeeper/ZooKeeper.java

@@ -3142,10 +3142,17 @@ protected SocketAddress testableLocalSocketAddress() {
 
     private ClientCnxnSocket getClientCnxnSocket() throws IOException {
         String clientCnxnSocketName = getClientConfig().getProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET);
-        if (clientCnxnSocketName == null || clientCnxnSocketName.equals(ClientCnxnSocketNIO.class.getSimpleName())) {
+        if (clientCnxnSocketName == null) {
+            boolean secureClient = getClientConfig().getBoolean(ZKClientConfig.SECURE_CLIENT);
+            if (secureClient) {
+                clientCnxnSocketName = "org.apache.zookeeper.ClientCnxnSocketNetty";
+            } else {
+                clientCnxnSocketName = ClientCnxnSocketNIO.class.getName();
+            }
+        } else if (clientCnxnSocketName.equals(ClientCnxnSocketNIO.class.getSimpleName())) {
             clientCnxnSocketName = ClientCnxnSocketNIO.class.getName();
-        } else if (clientCnxnSocketName.equals(ClientCnxnSocketNetty.class.getSimpleName())) {
-            clientCnxnSocketName = ClientCnxnSocketNetty.class.getName();
+        } else if (clientCnxnSocketName.equals("ClientCnxnSocketNetty")) {
+            clientCnxnSocketName = "org.apache.zookeeper.ClientCnxnSocketNetty";
         }
 
         try {
@@ -3154,7 +3161,19 @@ private ClientCnxnSocket getClientCnxnSocket() throws IOException {
             ClientCnxnSocket clientCxnSocket = (ClientCnxnSocket) clientCxnConstructor.newInstance(getClientConfig());
             return clientCxnSocket;
         } catch (Exception e) {
-            throw new IOException("Couldn't instantiate " + clientCnxnSocketName, e);
+            String msg = "Couldn't instantiate " + clientCnxnSocketName;
+            if (getClientConfig().getBoolean(ZKClientConfig.SECURE_CLIENT)) {
+                msg += ". SSL/TLS support requires Netty; please add netty-handler"
+                    + " (and optionally netty-tcnative-boringssl-static) to your project's dependencies.";
+            }
+            throw new IOException(msg, e);
+        } catch (NoClassDefFoundError e) {
+            String msg = "Couldn't instantiate " + clientCnxnSocketName;
+            if (getClientConfig().getBoolean(ZKClientConfig.SECURE_CLIENT)) {
+                msg += ". SSL/TLS support requires Netty; please add netty-handler"
+                    + " (and optionally netty-tcnative-boringssl-static) to your project's dependencies.";
+            }
+            throw new IOException(msg, e);
         }
     }
 

zookeeper-server/src/main/java/org/apache/zookeeper/cli/HexDumpOutputFormatter.java

@@ -18,17 +18,44 @@
 
 package org.apache.zookeeper.cli;
 
-import io.netty.buffer.ByteBuf;
-import io.netty.buffer.ByteBufUtil;
-import io.netty.buffer.Unpooled;
-
 public class HexDumpOutputFormatter implements OutputFormatter {
 
     public static final HexDumpOutputFormatter INSTANCE = new HexDumpOutputFormatter();
 
+    private static final int BYTES_PER_ROW = 16;
+    private static final int ASCII_PRINTABLE_MIN = 0x20; // space
+    private static final int ASCII_PRINTABLE_MAX = 0x7f; // DEL (exclusive)
+    private static final String HEADER_LINE =
+        "         +-------------------------------------------------+\n"
+        + "         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |\n"
+        + "+--------+-------------------------------------------------+----------------+";
+    private static final String FOOTER_LINE =
+        "+--------+-------------------------------------------------+----------------+";
+
     @Override
     public String format(byte[] data) {
-        ByteBuf buf = Unpooled.wrappedBuffer(data);
-        return ByteBufUtil.prettyHexDump(buf);
+        if (data == null || data.length == 0) {
+            return "";
+        }
+        StringBuilder sb = new StringBuilder();
+        sb.append(HEADER_LINE).append('\n');
+        for (int offset = 0; offset < data.length; offset += BYTES_PER_ROW) {
+            sb.append(String.format("|%08x|", offset));
+            StringBuilder charPart = new StringBuilder();
+            for (int i = 0; i < BYTES_PER_ROW; i++) {
+                if (offset + i < data.length) {
+                    int b = data[offset + i] & 0xFF;
+                    sb.append(String.format(" %02x", b));
+                    char c = (char) b;
+                    charPart.append(c >= ASCII_PRINTABLE_MIN && c < ASCII_PRINTABLE_MAX ? c : '.');
+                } else {
+                    sb.append("   ");
+                    charPart.append(' ');
+                }
+            }
+            sb.append("  |").append(charPart).append("|\n");
+        }
+        sb.append(FOOTER_LINE);
+        return sb.toString();
     }
 }

zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientNettyX509Util.java

@@ -0,0 +1,176 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.common;
+
+import io.netty.handler.ssl.DelegatingSslContext;
+import io.netty.handler.ssl.OpenSsl;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import java.security.Security;
+import java.util.Arrays;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.TrustManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Extends {@link ClientX509Util} with Netty-specific SSL context creation
+ * methods. This class is only loaded when Netty is present on the classpath.
+ * Code that only needs SSL property names should use {@link ClientX509Util}
+ * directly so that Netty remains an optional dependency.
+ */
+public class ClientNettyX509Util extends ClientX509Util {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ClientNettyX509Util.class);
+
+    public SslContext createNettySslContextForClient(ZKConfig config)
+        throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
+        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+        KeyManager km = buildKeyManager(config);
+        if (km != null) {
+            sslContextBuilder.keyManager(km);
+        }
+
+        TrustManager tm = buildTrustManager(config);
+        if (tm != null) {
+            sslContextBuilder.trustManager(tm);
+        }
+
+        handleTcnativeOcspStapling(sslContextBuilder, config);
+        String[] enabledProtocols = getEnabledProtocols(config);
+        if (enabledProtocols != null) {
+            sslContextBuilder.protocols(enabledProtocols);
+        }
+        Iterable<String> enabledCiphers = getCipherSuites(config);
+        if (enabledCiphers != null) {
+            sslContextBuilder.ciphers(enabledCiphers);
+        }
+        sslContextBuilder.sslProvider(getSslProvider(config));
+
+        SslContext sslContext1 = sslContextBuilder.build();
+
+        if ((getFipsMode(config) || tm == null) && isServerHostnameVerificationEnabled(config)) {
+            return addHostnameVerification(sslContext1, "Server");
+        } else {
+            return sslContext1;
+        }
+    }
+
+    public SslContext createNettySslContextForServer(ZKConfig config)
+        throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException {
+        KeyManager km = buildKeyManager(config);
+        if (km == null) {
+            throw new X509Exception.SSLContextException(
+                "Keystore is required for SSL server: " + getSslKeystoreLocationProperty());
+        }
+        return createNettySslContextForServer(config, km, buildTrustManager(config));
+    }
+
+    public SslContext createNettySslContextForServer(ZKConfig config, KeyManager keyManager, TrustManager trustManager) throws SSLException {
+        SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManager);
+
+        if (trustManager != null) {
+            sslContextBuilder.trustManager(trustManager);
+        }
+
+        handleTcnativeOcspStapling(sslContextBuilder, config);
+        String[] enabledProtocols = getEnabledProtocols(config);
+        if (enabledProtocols != null) {
+            sslContextBuilder.protocols(enabledProtocols);
+        }
+        sslContextBuilder.clientAuth(toNettyClientAuth(getClientAuth(config)));
+        Iterable<String> enabledCiphers = getCipherSuites(config);
+        if (enabledCiphers != null) {
+            sslContextBuilder.ciphers(enabledCiphers);
+        }
+        sslContextBuilder.sslProvider(getSslProvider(config));
+
+        SslContext sslContext1 = sslContextBuilder.build();
+
+        if ((getFipsMode(config) || trustManager == null) && isClientHostnameVerificationEnabled(config)) {
+            return addHostnameVerification(sslContext1, "Client");
+        } else {
+            return sslContext1;
+        }
+    }
+
+    private SslContextBuilder handleTcnativeOcspStapling(SslContextBuilder builder, ZKConfig config) {
+        SslProvider sslProvider = getSslProvider(config);
+        boolean tcnative = sslProvider == SslProvider.OPENSSL || sslProvider == SslProvider.OPENSSL_REFCNT;
+        boolean ocspEnabled = config.getBoolean(getSslOcspEnabledProperty(), Boolean.parseBoolean(Security.getProperty("ocsp.enable")));
+
+        if (tcnative && ocspEnabled && OpenSsl.isOcspSupported()) {
+            builder.enableOcsp(ocspEnabled);
+        }
+        return builder;
+    }
+
+    private SslContext addHostnameVerification(SslContext sslContext, String clientOrServer) {
+        return new DelegatingSslContext(sslContext) {
+            @Override
+            protected void initEngine(SSLEngine sslEngine) {
+                SSLParameters sslParameters = sslEngine.getSSLParameters();
+                sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+                sslEngine.setSSLParameters(sslParameters);
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("{} hostname verification: enabled HTTPS style endpoint identification algorithm", clientOrServer);
+                }
+            }
+        };
+    }
+
+    private String[] getEnabledProtocols(final ZKConfig config) {
+        String enabledProtocolsInput = config.getProperty(getSslEnabledProtocolsProperty());
+        if (enabledProtocolsInput == null) {
+            return null;
+        }
+        return enabledProtocolsInput.split(",");
+    }
+
+    private X509Util.ClientAuth getClientAuth(final ZKConfig config) {
+        return X509Util.ClientAuth.fromPropertyValue(config.getProperty(getSslClientAuthProperty()));
+    }
+
+    private static io.netty.handler.ssl.ClientAuth toNettyClientAuth(X509Util.ClientAuth clientAuth) {
+        switch (clientAuth) {
+            case NONE: return io.netty.handler.ssl.ClientAuth.NONE;
+            case WANT: return io.netty.handler.ssl.ClientAuth.OPTIONAL;
+            case NEED: return io.netty.handler.ssl.ClientAuth.REQUIRE;
+            default: throw new IllegalArgumentException("Unknown ClientAuth: " + clientAuth);
+        }
+    }
+
+    private Iterable<String> getCipherSuites(final ZKConfig config) {
+        String cipherSuitesInput = config.getProperty(getSslCipherSuitesProperty());
+        if (cipherSuitesInput == null) {
+            return null;
+        } else {
+            return Arrays.asList(cipherSuitesInput.split(","));
+        }
+    }
+
+    public SslProvider getSslProvider(ZKConfig config) {
+        return SslProvider.valueOf(config.getProperty(getSslProviderProperty(), "JDK"));
+    }
+}