diff options
author | Michael Arrastia <MArrasti@amdocs.com> | 2018-11-08 16:57:56 +0000 |
---|---|---|
committer | Michael Arrastia <MArrasti@amdocs.com> | 2018-11-09 13:49:40 +0000 |
commit | d3e1728b11f11d3979f04be1773e338416090d77 (patch) | |
tree | 0c81e2b8d68e6a089a6fa9ef312536f5669e6a59 /sidecar/fproxy/src/main | |
parent | 60985cb838d78c1a7f3853ee355ee5b974cc72bd (diff) |
Update FProxy to separate truststore and keystore
* Create default truststore, fproxy_truststore.
* Require TRUST_STORE_PASSWORD system parameter on application start.
* Harden parameter checks in FProxyApplication PostConstruct.
* Rationalise properties in RestTemplateConfig.
* Update unit tests to handle trust store.
* Correct spring dependency in pom.
Change-Id: I0254e5d27ff76bbd7a44b961169d7fe47761d3f9
Issue-ID: AAF-614
Signed-off-by: Michael Arrastia <MArrasti@amdocs.com>
Diffstat (limited to 'sidecar/fproxy/src/main')
4 files changed, 40 insertions, 30 deletions
diff --git a/sidecar/fproxy/src/main/bin/start.sh b/sidecar/fproxy/src/main/bin/start.sh index 53662b6..624f784 100644 --- a/sidecar/fproxy/src/main/bin/start.sh +++ b/sidecar/fproxy/src/main/bin/start.sh @@ -26,7 +26,14 @@ if [ -z "${KEY_STORE_PASSWORD}" ]; then exit 1 fi +if [ -z "${TRUST_STORE_PASSWORD}" ]; then + echo "TRUST_STORE_PASSWORD must be set in order to start up process" + exit 1 +fi + PROPS="-DKEY_STORE_PASSWORD=${KEY_STORE_PASSWORD}" +PROPS="$PROPS -DTRUST_STORE_PASSWORD=${TRUST_STORE_PASSWORD}" + JVM_MAX_HEAP=${MAX_HEAP:-1024} exec java -Xmx${JVM_MAX_HEAP}m ${PROPS} -jar ${BASEDIR}/fproxy-exec.jar diff --git a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java index 7e3ffe4..9ca301a 100644 --- a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java +++ b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java @@ -20,6 +20,7 @@ package org.onap.aaf.cadi.sidecar.fproxy; import java.util.HashMap; +import java.util.Optional; import javax.annotation.PostConstruct; import org.eclipse.jetty.util.security.Password; import org.springframework.beans.factory.annotation.Autowired; @@ -35,40 +36,40 @@ public class FProxyApplication extends SpringBootServletInitializer { @Autowired private Environment env; - + + @FunctionalInterface + public interface AppProperty { + String getProperty(String p); + } + /** - * Spring Boot Initialization. - * + * Spring Boot initialization. + * * @param args main args */ public static void main(String[] args) { - String keyStorePassword = System.getProperty("KEY_STORE_PASSWORD"); - if (keyStorePassword == null || keyStorePassword.isEmpty()) { - throw new IllegalArgumentException("Env property KEY_STORE_PASSWORD not set"); - } + AppProperty appProp = (String propertyName) -> Optional.ofNullable(System.getProperty(propertyName)) + .orElseThrow(() -> new IllegalArgumentException("Env property " + propertyName + " not set")); + HashMap<String, Object> props = new HashMap<>(); - props.put("server.ssl.key-store-password", Password.deobfuscate(keyStorePassword)); + props.put("server.ssl.key-store-password", Password.deobfuscate(appProp.getProperty("KEY_STORE_PASSWORD"))); + props.put("server.ssl.trust-store-password", Password.deobfuscate(appProp.getProperty("TRUST_STORE_PASSWORD"))); new FProxyApplication().configure(new SpringApplicationBuilder(FProxyApplication.class).properties(props)) .run(args); } - + /** - * Set required trust store system properties using values from application.properties + * Set required trust and key store system properties using values from application.properties */ @PostConstruct public void setSystemProperties() { - String keyStorePath = env.getProperty("server.ssl.key-store"); - if (keyStorePath != null) { - String keyStorePassword = env.getProperty("server.ssl.key-store-password"); + AppProperty appProp = (String propertyName) -> Optional.ofNullable(env.getProperty(propertyName)) + .orElseThrow(() -> new IllegalArgumentException("Env property " + propertyName + " not set")); - if (keyStorePassword != null) { - System.setProperty("javax.net.ssl.keyStore", keyStorePath); - System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword); - System.setProperty("javax.net.ssl.trustStore", keyStorePath); - System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword); - } else { - throw new IllegalArgumentException("Env property server.ssl.key-store-password not set"); - } - } + System.setProperty("javax.net.ssl.keyStore", appProp.getProperty("server.ssl.key-store")); + System.setProperty("javax.net.ssl.keyStorePassword", appProp.getProperty("server.ssl.key-store-password")); + System.setProperty("javax.net.ssl.trustStore", appProp.getProperty("server.ssl.trust-store")); + System.setProperty("javax.net.ssl.trustStorePassword", appProp.getProperty("server.ssl.trust-store-password")); } + } diff --git a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java index 23f3471..33ecb7e 100644 --- a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java +++ b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java @@ -45,11 +45,11 @@ public class RestTemplateConfig { @Value("${server.ssl.client-cert-password}") private String clientCertPassword; - @Value("${server.ssl.key-store}") - private String keystorePath; + @Value("${server.ssl.trust-store}") + private String trustStorePath; - @Value("${server.ssl.key-store-password}") - private String keystorePassword; + @Value("${server.ssl.trust-store-password}") + private String trustStorePassword; @Profile("secure") @Bean @@ -66,11 +66,11 @@ public class RestTemplateConfig { } private HttpClientBuilder getClientBuilder() throws GeneralSecurityException, IOException { + char[] clientPassword = Password.deobfuscate(clientCertPassword).toCharArray(); SSLContext sslContext = SSLContextBuilder.create() - .loadKeyMaterial(ResourceUtils.getFile(clientCertPath), Password.deobfuscate(clientCertPassword).toCharArray(), - keystorePassword.toCharArray()) - .loadTrustMaterial(ResourceUtils.getFile(keystorePath), keystorePassword.toCharArray()).build(); + .loadKeyMaterial(ResourceUtils.getFile(clientCertPath), clientPassword, clientPassword) + .loadTrustMaterial(ResourceUtils.getFile(trustStorePath), trustStorePassword.toCharArray()).build(); return HttpClients.custom().setSSLContext(sslContext); } diff --git a/sidecar/fproxy/src/main/resources/application.properties b/sidecar/fproxy/src/main/resources/application.properties index 2fb9396..47717b7 100644 --- a/sidecar/fproxy/src/main/resources/application.properties +++ b/sidecar/fproxy/src/main/resources/application.properties @@ -2,6 +2,8 @@ CONFIG_HOME=config server.port=10680 server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore +server.ssl.trust-store=${CONFIG_HOME}/auth/fproxy_truststore + server.ssl.client-cert=${CONFIG_HOME}/auth/client-cert.p12 server.ssl.client-cert-password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 server.ssl.client-auth=want @@ -10,4 +12,4 @@ server.servlet.context-path=/ logging.config=${CONFIG_HOME}/logback-spring.xml -spring.profiles.active=secure
\ No newline at end of file +spring.profiles.active=secure |