oncrpc: add support for AUTH_TLS

Motivation:
To secure NFS over public networks there is an IETF activity to define
rpc-over-tls. To avoid extra TCP port number allocation and compatibility
with non TLS clients a start TLS mechanism in introduced by AUTH_TLS rpc
security flavor.

See https://datatracker.ietf.org/doc/draft-cel-nfsv4-rpc-tls/

Modification:
To ensure, that TLS is enabled only after reply is sent to the client add
a new filter that will update connections filter chain after write operation
is complete. Added RpcTransport#startTLS method to enable TLS handshake.
As IETF work still in a draft phase, the API modifications marked as `BETA`.

Result:
The current IETF draft of rpc-over-tls can be supported.

Acked-by: Paul Millar
Target: master

Author: kofemann

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/grizzly/GrizzlyRpcTransport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2018 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2019 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -31,7 +31,12 @@
 import org.glassfish.grizzly.EmptyCompletionHandler;
 import org.glassfish.grizzly.WriteResult;
 import org.glassfish.grizzly.asyncqueue.WritableMessage;
+import org.glassfish.grizzly.filterchain.FilterChain;
+import org.glassfish.grizzly.ssl.SSLFilter;
 
+import org.dcache.oncrpc4j.rpc.RpcAuthError;
+import org.dcache.oncrpc4j.rpc.RpcAuthException;
+import org.dcache.oncrpc4j.rpc.RpcAuthStat;
 import org.dcache.oncrpc4j.rpc.RpcTransport;
 
 import static java.util.Objects.requireNonNull;
@@ -108,4 +113,21 @@ public RpcTransport getPeerTransport() {
     public String toString() {
         return getRemoteSocketAddress() + " <=> " + getLocalSocketAddress();
     }
+
+    @Override
+    public void startTLS() throws RpcAuthException {
+        final FilterChain currentChain = (FilterChain) _connection.getProcessor();
+        if (currentChain.indexOfType(SSLFilter.class) >= 0) {
+            // already enabled
+            throw new IllegalStateException("TLS is already enabled.");
+        }
+
+        currentChain.stream()
+                .filter(StartTlsFilter.class::isInstance)
+                .findAny()
+                .map(StartTlsFilter.class::cast)
+                .orElseThrow(() -> new RpcAuthException("SSL is not configured",
+                        new RpcAuthError(RpcAuthStat.AUTH_FAILED)))
+                .startTLS(_connection);
+    }
 }

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/grizzly/StartTlsFilter.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2019 Deutsches Elektronen-Synchroton,
+ * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
+ *
+ * This library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this program (see the file COPYING.LIB for more
+ * details); if not, write to the Free Software Foundation, Inc.,
+ * 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+package org.dcache.oncrpc4j.grizzly;
+
+import com.google.common.annotations.Beta;
+import java.io.IOException;
+import org.dcache.oncrpc4j.rpc.RpcAuthError;
+import org.dcache.oncrpc4j.rpc.RpcAuthException;
+import org.dcache.oncrpc4j.rpc.RpcAuthStat;
+import org.glassfish.grizzly.Connection;
+import org.glassfish.grizzly.EmptyCompletionHandler;
+import org.glassfish.grizzly.filterchain.Filter;
+import org.glassfish.grizzly.filterchain.BaseFilter;
+import org.glassfish.grizzly.filterchain.FilterChain;
+import org.glassfish.grizzly.filterchain.FilterChainBuilder;
+import org.glassfish.grizzly.filterchain.FilterChainContext;
+import org.glassfish.grizzly.filterchain.NextAction;
+import org.glassfish.grizzly.ssl.SSLFilter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A pass-through {@link Filter} that will enable TLS on connection if required.
+ */
+@Beta
+public class StartTlsFilter extends BaseFilter {
+
+    private final static Logger LOGGER = LoggerFactory.getLogger(StartTlsFilter.class);
+
+    private final SSLFilter sslFilter;
+    private final boolean isClient;
+    private volatile boolean start;
+
+    public StartTlsFilter(SSLFilter sslFilter, boolean isClient) {
+        this.sslFilter = sslFilter;
+        this.isClient = isClient;
+    }
+
+    @Override
+    public NextAction handleWrite(FilterChainContext ctx) throws IOException {
+        /** After service receives start-TLS it must reply to the client and then
+         * enable TLS on the connection.
+         */
+
+        NextAction nextAction = super.handleWrite(ctx);
+        if (start) {
+            enableSSLFilter(ctx.getConnection());
+        }
+
+        return nextAction;
+    }
+
+    public void startTLS(Connection connection) throws RpcAuthException {
+        start = true;
+        if (isClient) {
+            enableSSLFilter(connection);
+            try {
+                sslFilter.handshake(connection, new EmptyCompletionHandler<>());
+            } catch (IOException e) {
+                LOGGER.error("Failed to perform TLS handshake: {}", e.getMessage());
+                throw new RpcAuthException("Failed to perform TLS handshake",
+                        new RpcAuthError(RpcAuthStat.AUTH_FAILED));
+            }
+        }
+    }
+
+    private void enableSSLFilter(Connection connection) {
+        final FilterChain currentChain = (FilterChain) connection.getProcessor();
+        FilterChainBuilder chainBuilder = FilterChainBuilder
+                .stateless()
+                .addAll(currentChain)
+                .remove(this)
+                .add(1, sslFilter);
+        connection.setProcessor(chainBuilder.build());
+    }
+}

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvc.java

@@ -19,6 +19,7 @@
  */
 package org.dcache.oncrpc4j.rpc;
 
+import org.dcache.oncrpc4j.grizzly.StartTlsFilter;
 import org.dcache.oncrpc4j.rpc.net.IpProtocolType;
 import org.dcache.oncrpc4j.rpc.net.InetSocketAddresses;
 import org.dcache.oncrpc4j.rpc.gss.GssProtocolFilter;
@@ -104,6 +105,11 @@ public class OncRpcSvc {
      */
     private final SSLContext _sslContext;
 
+    /**
+     * Start TLS only when requested.
+     */
+    private final boolean _startTLS;
+
     /**
      * mapping of registered programs.
      */
@@ -173,6 +179,7 @@ public class OncRpcSvc {
         _withSubjectPropagation = builder.getSubjectPropagation();
 	_svcName = builder.getServiceName();
         _sslContext = builder.getSSLContext();
+        _startTLS = builder.isStartTLS();
     }
 
     /**
@@ -312,8 +319,9 @@ public void start() throws IOException {
                 SSLEngineConfigurator clientSSLEngineConfigurator =
                         new SSLEngineConfigurator(_sslContext, true, false, false);
 
-                filterChain.add(new SSLFilter(serverSSLEngineConfigurator,
-                        clientSSLEngineConfigurator));
+                SSLFilter sslFilter = new SSLFilter(serverSSLEngineConfigurator,
+                        clientSSLEngineConfigurator);
+                filterChain.add(_startTLS ? new StartTlsFilter(sslFilter, _isClient) : sslFilter);
             }
 
             filterChain.add(rpcMessageReceiverFor(t));

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/OncRpcSvcBuilder.java

@@ -19,6 +19,7 @@
  */
 package org.dcache.oncrpc4j.rpc;
 
+import com.google.common.annotations.Beta;
 import com.google.common.util.concurrent.MoreExecutors;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import org.dcache.oncrpc4j.rpc.gss.GssSessionManager;
@@ -78,12 +79,19 @@ public class OncRpcSvcBuilder {
     private int _workerThreadPoolSize = 0;
     private boolean _subjectPropagation = false;
     private SSLContext _sslContext = null;
+    private boolean _startTLS = false;
 
     public OncRpcSvcBuilder withAutoPublish() {
         _autoPublish = true;
         return this;
     }
 
+    @Beta
+    public OncRpcSvcBuilder withStartTLS() {
+        _startTLS = true;
+        return this;
+    }
+
     public OncRpcSvcBuilder withoutAutoPublish() {
         _autoPublish = false;
         return this;
@@ -226,6 +234,11 @@ public boolean isAutoPublish() {
         return _autoPublish;
     }
 
+    @Beta
+    public boolean isStartTLS() {
+        return _startTLS;
+    }
+
     public IoStrategy getIoStrategy() {
         return _ioStrategy;
     }

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcAuthType.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2018 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2019 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -40,4 +40,8 @@ public interface  RpcAuthType {
      */
     static public final int RPCGSS_SEC = 6;
 
+    /**
+     * Initiate a TLS handshake.
+     */
+    static public final int TLS = 7;
 }

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcAuthTypeTls.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2019 Deutsches Elektronen-Synchroton,
+ * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
+ *
+ * This library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this program (see the file COPYING.LIB for more
+ * details); if not, write to the Free Software Foundation, Inc.,
+ * 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+package org.dcache.oncrpc4j.rpc;
+
+import java.io.IOException;
+import javax.security.auth.Subject;
+import org.dcache.oncrpc4j.xdr.XdrAble;
+import org.dcache.oncrpc4j.xdr.XdrDecodingStream;
+import org.dcache.oncrpc4j.xdr.XdrEncodingStream;
+
+import org.dcache.auth.Subjects;
+
+/**
+ *
+ */
+public class RpcAuthTypeTls implements RpcAuth, XdrAble {
+
+    private final RpcAuthVerifier verifier = new RpcAuthVerifier(RpcAuthType.NONE, new byte[0]);
+
+    @Override
+    public int type() {
+        return RpcAuthType.TLS;
+    }
+
+    @Override
+    public RpcAuthVerifier getVerifier() {
+        return verifier;
+    }
+
+    @Override
+    public Subject getSubject() {
+        return Subjects.NOBODY;
+    }
+
+    @Override
+    public void xdrDecode(XdrDecodingStream xdr) throws OncRpcException, IOException {
+        byte[] opaque = xdr.xdrDecodeDynamicOpaque();
+        verifier.xdrDecode(xdr);
+    }
+
+    @Override
+    public void xdrEncode(XdrEncodingStream xdr) throws OncRpcException, IOException {
+            xdr.xdrEncodeInt(type());
+            xdr.xdrEncodeInt(0); // spec: credential size must be zero
+            verifier.xdrEncode(xdr);
+    }
+
+}

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcCall.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2018 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2019 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -205,7 +205,7 @@ public void accept() throws IOException, OncRpcException {
         _prog = _xdr.xdrDecodeInt();
         _version = _xdr.xdrDecodeInt();
         _proc = _xdr.xdrDecodeInt();
-        _cred = RpcCredential.decode(_xdr);
+        _cred = RpcCredential.decode(_xdr, _transport);
      }
 
     /**

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcCredential.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2018 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2019 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -32,7 +32,7 @@ public class RpcCredential {
 
     private RpcCredential() {}
 
-    public static RpcAuth decode(XdrDecodingStream xdr) throws OncRpcException, IOException {
+    public static RpcAuth decode(XdrDecodingStream xdr, RpcTransport transport) throws OncRpcException, IOException {
 
         int authType = xdr.xdrDecodeInt();
         RpcAuth credential;
@@ -46,6 +46,10 @@ public static RpcAuth decode(XdrDecodingStream xdr) throws OncRpcException, IOEx
             case RpcAuthType.RPCGSS_SEC:
                 credential = new RpcAuthGss();
                 break;
+            case RpcAuthType.TLS:
+                credential = new RpcAuthTypeTls();
+                transport.startTLS();
+                break;
             default:
                 throw new RpcAuthException("Unsuported type: " + authType,
                                 new RpcAuthError(RpcAuthStat.AUTH_FAILED));

oncrpc4j-core/src/main/java/org/dcache/oncrpc4j/rpc/RpcTransport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 - 2018 Deutsches Elektronen-Synchroton,
+ * Copyright (c) 2009 - 2019 Deutsches Elektronen-Synchroton,
  * Member of the Helmholtz Association, (DESY), HAMBURG, GERMANY
  *
  * This library is free software; you can redistribute it and/or modify
@@ -19,9 +19,9 @@
  */
 package org.dcache.oncrpc4j.rpc;
 
+import com.google.common.annotations.Beta;
 import java.net.InetSocketAddress;
 import java.nio.channels.CompletionHandler;
-import org.dcache.oncrpc4j.rpc.ReplyQueue;
 import org.dcache.oncrpc4j.xdr.Xdr;
 
 /**
@@ -75,4 +75,13 @@ public interface RpcTransport {
      * @return
      */
     public RpcTransport getPeerTransport();
+
+
+    /**
+     * Enable TLS on this transport.
+     * @throws RpcAuthException if handshake can't be initialized (due to missing configuration).
+     * @throws IllegalStateException if TLS is already enabled.
+     */
+    @Beta
+    void startTLS() throws RpcAuthException, IllegalStateException;
 }