summaryrefslogtreecommitdiffstats
path: root/sidecar/fproxy/src/main
diff options
context:
space:
mode:
authorMichael Arrastia <MArrasti@amdocs.com>2018-11-08 16:57:56 +0000
committerMichael Arrastia <MArrasti@amdocs.com>2018-11-09 13:49:40 +0000
commitd3e1728b11f11d3979f04be1773e338416090d77 (patch)
tree0c81e2b8d68e6a089a6fa9ef312536f5669e6a59 /sidecar/fproxy/src/main
parent60985cb838d78c1a7f3853ee355ee5b974cc72bd (diff)
Update FProxy to separate truststore and keystore
* Create default truststore, fproxy_truststore. * Require TRUST_STORE_PASSWORD system parameter on application start. * Harden parameter checks in FProxyApplication PostConstruct. * Rationalise properties in RestTemplateConfig. * Update unit tests to handle trust store. * Correct spring dependency in pom. Change-Id: I0254e5d27ff76bbd7a44b961169d7fe47761d3f9 Issue-ID: AAF-614 Signed-off-by: Michael Arrastia <MArrasti@amdocs.com>
Diffstat (limited to 'sidecar/fproxy/src/main')
-rw-r--r--sidecar/fproxy/src/main/bin/start.sh7
-rw-r--r--sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java45
-rw-r--r--sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java14
-rw-r--r--sidecar/fproxy/src/main/resources/application.properties4
4 files changed, 40 insertions, 30 deletions
diff --git a/sidecar/fproxy/src/main/bin/start.sh b/sidecar/fproxy/src/main/bin/start.sh
index 53662b6..624f784 100644
--- a/sidecar/fproxy/src/main/bin/start.sh
+++ b/sidecar/fproxy/src/main/bin/start.sh
@@ -26,7 +26,14 @@ if [ -z "${KEY_STORE_PASSWORD}" ]; then
exit 1
fi
+if [ -z "${TRUST_STORE_PASSWORD}" ]; then
+ echo "TRUST_STORE_PASSWORD must be set in order to start up process"
+ exit 1
+fi
+
PROPS="-DKEY_STORE_PASSWORD=${KEY_STORE_PASSWORD}"
+PROPS="$PROPS -DTRUST_STORE_PASSWORD=${TRUST_STORE_PASSWORD}"
+
JVM_MAX_HEAP=${MAX_HEAP:-1024}
exec java -Xmx${JVM_MAX_HEAP}m ${PROPS} -jar ${BASEDIR}/fproxy-exec.jar
diff --git a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java
index 7e3ffe4..9ca301a 100644
--- a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java
+++ b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/FProxyApplication.java
@@ -20,6 +20,7 @@
package org.onap.aaf.cadi.sidecar.fproxy;
import java.util.HashMap;
+import java.util.Optional;
import javax.annotation.PostConstruct;
import org.eclipse.jetty.util.security.Password;
import org.springframework.beans.factory.annotation.Autowired;
@@ -35,40 +36,40 @@ public class FProxyApplication extends SpringBootServletInitializer {
@Autowired
private Environment env;
-
+
+ @FunctionalInterface
+ public interface AppProperty {
+ String getProperty(String p);
+ }
+
/**
- * Spring Boot Initialization.
- *
+ * Spring Boot initialization.
+ *
* @param args main args
*/
public static void main(String[] args) {
- String keyStorePassword = System.getProperty("KEY_STORE_PASSWORD");
- if (keyStorePassword == null || keyStorePassword.isEmpty()) {
- throw new IllegalArgumentException("Env property KEY_STORE_PASSWORD not set");
- }
+ AppProperty appProp = (String propertyName) -> Optional.ofNullable(System.getProperty(propertyName))
+ .orElseThrow(() -> new IllegalArgumentException("Env property " + propertyName + " not set"));
+
HashMap<String, Object> props = new HashMap<>();
- props.put("server.ssl.key-store-password", Password.deobfuscate(keyStorePassword));
+ props.put("server.ssl.key-store-password", Password.deobfuscate(appProp.getProperty("KEY_STORE_PASSWORD")));
+ props.put("server.ssl.trust-store-password", Password.deobfuscate(appProp.getProperty("TRUST_STORE_PASSWORD")));
new FProxyApplication().configure(new SpringApplicationBuilder(FProxyApplication.class).properties(props))
.run(args);
}
-
+
/**
- * Set required trust store system properties using values from application.properties
+ * Set required trust and key store system properties using values from application.properties
*/
@PostConstruct
public void setSystemProperties() {
- String keyStorePath = env.getProperty("server.ssl.key-store");
- if (keyStorePath != null) {
- String keyStorePassword = env.getProperty("server.ssl.key-store-password");
+ AppProperty appProp = (String propertyName) -> Optional.ofNullable(env.getProperty(propertyName))
+ .orElseThrow(() -> new IllegalArgumentException("Env property " + propertyName + " not set"));
- if (keyStorePassword != null) {
- System.setProperty("javax.net.ssl.keyStore", keyStorePath);
- System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
- System.setProperty("javax.net.ssl.trustStore", keyStorePath);
- System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
- } else {
- throw new IllegalArgumentException("Env property server.ssl.key-store-password not set");
- }
- }
+ System.setProperty("javax.net.ssl.keyStore", appProp.getProperty("server.ssl.key-store"));
+ System.setProperty("javax.net.ssl.keyStorePassword", appProp.getProperty("server.ssl.key-store-password"));
+ System.setProperty("javax.net.ssl.trustStore", appProp.getProperty("server.ssl.trust-store"));
+ System.setProperty("javax.net.ssl.trustStorePassword", appProp.getProperty("server.ssl.trust-store-password"));
}
+
}
diff --git a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java
index 23f3471..33ecb7e 100644
--- a/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java
+++ b/sidecar/fproxy/src/main/java/org/onap/aaf/cadi/sidecar/fproxy/RestTemplateConfig.java
@@ -45,11 +45,11 @@ public class RestTemplateConfig {
@Value("${server.ssl.client-cert-password}")
private String clientCertPassword;
- @Value("${server.ssl.key-store}")
- private String keystorePath;
+ @Value("${server.ssl.trust-store}")
+ private String trustStorePath;
- @Value("${server.ssl.key-store-password}")
- private String keystorePassword;
+ @Value("${server.ssl.trust-store-password}")
+ private String trustStorePassword;
@Profile("secure")
@Bean
@@ -66,11 +66,11 @@ public class RestTemplateConfig {
}
private HttpClientBuilder getClientBuilder() throws GeneralSecurityException, IOException {
+ char[] clientPassword = Password.deobfuscate(clientCertPassword).toCharArray();
SSLContext sslContext = SSLContextBuilder.create()
- .loadKeyMaterial(ResourceUtils.getFile(clientCertPath), Password.deobfuscate(clientCertPassword).toCharArray(),
- keystorePassword.toCharArray())
- .loadTrustMaterial(ResourceUtils.getFile(keystorePath), keystorePassword.toCharArray()).build();
+ .loadKeyMaterial(ResourceUtils.getFile(clientCertPath), clientPassword, clientPassword)
+ .loadTrustMaterial(ResourceUtils.getFile(trustStorePath), trustStorePassword.toCharArray()).build();
return HttpClients.custom().setSSLContext(sslContext);
}
diff --git a/sidecar/fproxy/src/main/resources/application.properties b/sidecar/fproxy/src/main/resources/application.properties
index 2fb9396..47717b7 100644
--- a/sidecar/fproxy/src/main/resources/application.properties
+++ b/sidecar/fproxy/src/main/resources/application.properties
@@ -2,6 +2,8 @@ CONFIG_HOME=config
server.port=10680
server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.trust-store=${CONFIG_HOME}/auth/fproxy_truststore
+
server.ssl.client-cert=${CONFIG_HOME}/auth/client-cert.p12
server.ssl.client-cert-password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
server.ssl.client-auth=want
@@ -10,4 +12,4 @@ server.servlet.context-path=/
logging.config=${CONFIG_HOME}/logback-spring.xml
-spring.profiles.active=secure \ No newline at end of file
+spring.profiles.active=secure