src/java/org/apache/cassandra/net/InternodeConnectionUtils.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.cassandra.net;

import java.nio.channels.ClosedChannelException;
import java.security.cert.Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.SslHandler;

/**
 * Class that contains certificate utility methods.
 */
public class InternodeConnectionUtils
{
    public static String SSL_HANDLER_NAME = "ssl";
    public static String DISCARD_HANDLER_NAME = "discard";
    private static final Logger logger = LoggerFactory.getLogger(InternodeConnectionUtils.class);

    public static Certificate[] certificates(Channel channel)
    {
        final SslHandler sslHandler = (SslHandler) channel.pipeline().get(SSL_HANDLER_NAME);
        Certificate[] certificates = null;
        if (sslHandler != null)
        {
            try
            {
                certificates = sslHandler.engine()
                                         .getSession()
                                         .getPeerCertificates();
            }
            catch (SSLPeerUnverifiedException e)
            {
                logger.debug("Failed to get peer certificates for peer {}", channel.remoteAddress(), e);
            }
        }
        return certificates;
    }

    public static boolean isSSLError(final Throwable cause)
    {
        return (cause instanceof ClosedChannelException)
               && cause.getCause() == null
               && cause.getStackTrace()[0].getClassName().contains("SslHandler")
               && cause.getStackTrace()[0].getMethodName().contains("channelInactive");
    }

    /**
     * Discard handler releases the received data silently. when internode authentication fails, the channel is closed,
     * but the pending buffered data may still be fired through the pipeline. To avoid that, authentication handler is
     * replaced with this DiscardHandler to release all the buffered data, to avoid handling unauthenticated data in the
     * following handlers.
     */
    public static class ByteBufDiscardHandler extends ChannelInboundHandlerAdapter
    {
        @Override
        public void channelRead(ChannelHandlerContext ctx, Object msg)
        {
            if (msg instanceof ByteBuf)
            {
                ((ByteBuf) msg).release();
            }
            else
            {
                ctx.fireChannelRead(msg);
            }
        }
    }
}