1 files changed, 148 insertions, 0 deletions

diff --git a/search-data-service/src/main/java/org/onap/aai/sa/searchdbabstraction/elasticsearch/dao/ElasticSearchHttpsController.java b/search-data-service/src/main/java/org/onap/aai/sa/searchdbabstraction/elasticsearch/dao/ElasticSearchHttpsController.java
new file mode 100644
index 0000000..51b8952
--- /dev/null
+++ b/search-data-service/src/main/java/org/onap/aai/sa/searchdbabstraction/elasticsearch/dao/ElasticSearchHttpsController.java
@@ -0,0 +1,148 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * Copyright © 2017-2018 Amdocs
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.sa.searchdbabstraction.elasticsearch.dao;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import org.onap.aai.cl.api.Logger;
+import org.onap.aai.cl.eelf.LoggerFactory;
+import org.onap.aai.sa.searchdbabstraction.elasticsearch.config.ElasticSearchConfig;
+
+/**
+ * HTTPS (TLS) specific configuration.
+ */
+public class ElasticSearchHttpsController {
+
+    private static final Logger logger =
+            LoggerFactory.getInstance().getLogger(ElasticSearchHttpsController.class.getName());
+
+    private static final String SSL_PROTOCOL = "TLS";
+    private static final String KEYSTORE_ALGORITHM = "SunX509";
+    private static final String KEYSTORE_TYPE = "PKCS12";
+
+    public ElasticSearchHttpsController(ElasticSearchConfig config) throws NoSuchAlgorithmException, KeyStoreException,
+            CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
+        logger.debug("Initialising HTTPS configuration");
+
+        SSLContext ctx = SSLContext.getInstance(SSL_PROTOCOL);
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KEYSTORE_ALGORITHM);
+        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+
+        String clientCertPassword = config.getKeyStorePassword();
+
+        char[] pwd = null;
+        if (clientCertPassword != null) {
+            pwd = clientCertPassword.toCharArray();
+        } else {
+            logger.debug("No key store password is defined");
+        }
+
+        TrustManager[] trustManagers = getTrustManagers(config);
+        KeyManager[] keyManagers = null;
+
+        String clientCertFileName = config.getKeyStorePath();
+        if (clientCertFileName != null) {
+            InputStream fin = Files.newInputStream(Paths.get(clientCertFileName));
+            keyStore.load(fin, pwd);
+            kmf.init(keyStore, pwd);
+            keyManagers = kmf.getKeyManagers();
+        }
+
+        ctx.init(keyManagers, trustManagers, null);
+        logger.debug("Initialised SSL context");
+
+        HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
+        HttpsURLConnection.setDefaultHostnameVerifier((host, session) -> host.equalsIgnoreCase(session.getPeerHost()));
+    }
+
+    private TrustManager[] getTrustManagers(ElasticSearchConfig config)
+            throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        // Using null here initializes the TMF with the default trust store.
+        tmf.init((KeyStore) null);
+
+        // Find the default trust manager.
+        final X509TrustManager defaultTrustManager = findX509TrustManager(tmf);
+
+        String trustStoreFile = config.getTrustStorePath();
+        if (trustStoreFile == null) {
+            logger.debug("No trust store defined");
+            return new TrustManager[] {defaultTrustManager};
+        }
+
+        // Create a new Trust Manager from the local trust store.
+        try (InputStream myKeys = Files.newInputStream(Paths.get(trustStoreFile))) {
+            KeyStore myTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            char[] pwdArray = null;
+            if (config.getTrustStorePassword() != null) {
+                pwdArray = config.getTrustStorePassword().toCharArray();
+            }
+            myTrustStore.load(myKeys, pwdArray);
+            tmf.init(myTrustStore);
+        }
+
+        // Create a custom trust manager that wraps both our trust store and the default.
+        final X509TrustManager finalLocalTm = findX509TrustManager(tmf);
+
+        return new TrustManager[] {new X509TrustManager() {
+            @Override
+            public X509Certificate[] getAcceptedIssuers() {
+                return defaultTrustManager.getAcceptedIssuers();
+            }
+
+            @Override
+            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+                try {
+                    finalLocalTm.checkServerTrusted(chain, authType);
+                } catch (CertificateException e) {
+                    defaultTrustManager.checkServerTrusted(chain, authType);
+                }
+            }
+
+            @Override
+            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+                defaultTrustManager.checkClientTrusted(chain, authType);
+            }
+        }};
+    }
+
+    private X509TrustManager findX509TrustManager(TrustManagerFactory tmf) {
+        return (X509TrustManager) Arrays.asList(tmf.getTrustManagers()).stream()
+                .filter(tm -> tm instanceof X509TrustManager).findFirst().orElse(null);
+    }
+}