/* * SPDX-License-Identifier: Apache-2.0 * * The OpenSearch Contributors require contributions made to * this file be licensed under the Apache-2.0 license or a * compatible open source license. */ /* * Licensed to Elasticsearch under one or more contributor * license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright * ownership. Elasticsearch licenses this file to you under * the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ /* * Modifications Copyright OpenSearch Contributors. See * GitHub history for details. */ package org.opensearch.common.ssl; import java.util.Collections; import java.util.LinkedHashMap; import java.util.Locale; import java.util.Map; import java.util.stream.Collectors; /** * Represents the verification mode to be used for SSL connections. */ public enum SslVerificationMode { /** * Verify neither the hostname, nor the provided certificate. */ NONE { @Override public boolean isHostnameVerificationEnabled() { return false; } @Override public boolean isCertificateVerificationEnabled() { return false; } }, /** * Verify the provided certificate against the trust chain, but do not verify the hostname. */ CERTIFICATE { @Override public boolean isHostnameVerificationEnabled() { return false; } @Override public boolean isCertificateVerificationEnabled() { return true; } }, /** * Verify the provided certificate against the trust chain, and also verify that the hostname to which this client is connected * matches one of the Subject-Alternative-Names in the certificate. */ FULL { @Override public boolean isHostnameVerificationEnabled() { return true; } @Override public boolean isCertificateVerificationEnabled() { return true; } }; /** * @return true if hostname verification is enabled */ public abstract boolean isHostnameVerificationEnabled(); /** * @return true if certificate verification is enabled */ public abstract boolean isCertificateVerificationEnabled(); private static final Map<String, SslVerificationMode> LOOKUP = Collections.unmodifiableMap(buildLookup()); private static Map<String, SslVerificationMode> buildLookup() { Map<String, SslVerificationMode> map = new LinkedHashMap<>(3); map.put("none", NONE); map.put("certificate", CERTIFICATE); map.put("full", FULL); return map; } public static SslVerificationMode parse(String value) { final SslVerificationMode mode = LOOKUP.get(value.toLowerCase(Locale.ROOT)); if (mode == null) { final String allowedValues = LOOKUP.keySet().stream().collect(Collectors.joining(",")); throw new SslConfigException( "could not resolve ssl client verification mode, unknown value [" + value + "], recognised values are [" + allowedValues + "]" ); } return mode; } }