001/*
002 * Copyright 2007-2024 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2007-2024 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2007-2024 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.ldap.sdk;
037
038
039
040import javax.net.ssl.SSLContext;
041import javax.net.ssl.SSLSocketFactory;
042
043import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
044import com.unboundid.util.NotMutable;
045import com.unboundid.util.NotNull;
046import com.unboundid.util.Nullable;
047import com.unboundid.util.ThreadSafety;
048import com.unboundid.util.ThreadSafetyLevel;
049import com.unboundid.util.Validator;
050
051
052
053/**
054 * This class provides an implementation of a post-connect processor that can
055 * be used to perform StartTLS negotiation on an LDAP connection that is
056 * intended to be used in a connection pool.
057 * <BR><BR>
058 * <H2>Example</H2>
059 * The following example demonstrates the use of the StartTLS post-connect
060 * processor to create an LDAP connection pool whose connections are secured
061 * using StartTLS.  See the Javadoc documentation for the
062 * {@link com.unboundid.util.ssl.SSLUtil} class for a more complete explanation
063 * of the process for establishin secure connections.
064 * <PRE>
065 * // Configure an SSLUtil instance and use it to obtain an SSLContext.
066 * SSLUtil sslUtil = new SSLUtil(new TrustStoreTrustManager(trustStorePath));
067 * SSLContext sslContext = sslUtil.createSSLContext();
068 *
069 * // Establish an insecure connection to the directory server.
070 * LDAPConnectionOptions connectionOptions = new LDAPConnectionOptions();
071 * connectionOptions.setSSLSocketVerifier(
072 *      new HostNameSSLSocketVerifier(true));
073 * LDAPConnection connection =
074 *      new LDAPConnection(connectionOptions, serverAddress, nonSSLPort);
075 *
076 * // Use the StartTLS extended operation to secure the connection.
077 * ExtendedResult startTLSResult = connection.processExtendedOperation(
078 *      new StartTLSExtendedRequest(sslContext));
079 *
080 * // Create a connection pool that will secure its connections with StartTLS.
081 * BindResult bindResult = connection.bind(
082 *      "uid=john.doe,ou=People,dc=example,dc=com", "password");
083 * StartTLSPostConnectProcessor startTLSProcessor =
084 *      new StartTLSPostConnectProcessor(sslContext);
085 * LDAPConnectionPool pool =
086 *      new LDAPConnectionPool(connection, 1, 10, startTLSProcessor);
087 *
088 * // Verify that we can use the pool to communicate with the directory server.
089 * RootDSE rootDSE = pool.getRootDSE();
090 *
091 * // Close the connection pool.
092 * pool.close();
093 * </PRE>
094 */
095@NotMutable()
096@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
097public final class StartTLSPostConnectProcessor
098       implements PostConnectProcessor
099{
100  // The SSL context to use to perform the negotiation.
101  @Nullable private final SSLContext sslContext;
102
103  // The SSL socket factory to create the secure connection.
104  @Nullable private final SSLSocketFactory sslSocketFactory;
105
106
107
108  /**
109   * Creates a new instance of this StartTLS post-connect processor that will
110   * use the provided SSL context.
111   *
112   * @param  sslContext  The SSL context to use to perform the StartTLS
113   *                     negotiation.  It must not be {@code null}.
114   */
115  public StartTLSPostConnectProcessor(@NotNull final SSLContext sslContext)
116  {
117    Validator.ensureNotNull(sslContext);
118
119    this.sslContext = sslContext;
120    sslSocketFactory = null;
121  }
122
123
124
125  /**
126   * Creates a new instance of this StartTLS post-connect processor that will
127   * use the provided SSL context.
128   *
129   * @param  sslSocketFactory  The SSL socket factory to use to create the
130   *                           TLS-secured socket.  It must not be {@code null}.
131   */
132  public StartTLSPostConnectProcessor(
133              @NotNull final SSLSocketFactory sslSocketFactory)
134  {
135    Validator.ensureNotNull(sslSocketFactory);
136
137    this.sslSocketFactory = sslSocketFactory;
138    sslContext = null;
139  }
140
141
142
143  /**
144   * {@inheritDoc}
145   */
146  @Override()
147  public void processPreAuthenticatedConnection(
148                   @NotNull final LDAPConnection connection)
149         throws LDAPException
150  {
151    final StartTLSExtendedRequest startTLSRequest;
152    if (sslContext == null)
153    {
154      startTLSRequest = new StartTLSExtendedRequest(sslSocketFactory);
155    }
156    else
157    {
158      startTLSRequest = new StartTLSExtendedRequest(sslContext);
159    }
160
161    // Since the StartTLS processing will occur during the course of
162    // establishing the connection for use in the pool, set the connect timeout
163    // for the operation to be equal to the connect timeout from the connection
164    // options.
165    final LDAPConnectionOptions opts = connection.getConnectionOptions();
166    startTLSRequest.setResponseTimeoutMillis(opts.getConnectTimeoutMillis());
167
168    final ExtendedResult r =
169         connection.processExtendedOperation(startTLSRequest);
170    if (! r.getResultCode().equals(ResultCode.SUCCESS))
171    {
172      throw new LDAPExtendedOperationException(r);
173    }
174  }
175
176
177
178  /**
179   * {@inheritDoc}
180   */
181  @Override()
182  public void processPostAuthenticatedConnection(
183                   @NotNull final LDAPConnection connection)
184         throws LDAPException
185  {
186    // No implementation is required for this post-connect processor.
187  }
188}