diff options
author | Dan Timoney <dtimoney@att.com> | 2021-07-20 16:29:15 -0400 |
---|---|---|
committer | Dan Timoney <dtimoney@att.com> | 2021-07-20 16:29:15 -0400 |
commit | afb648cbb6e69725f5f0857f5429cf710c8a0243 (patch) | |
tree | 46edda5ecc25dc992084a668e725d646fa3978e6 /plugins/restconf-client | |
parent | 6dfa45c5b883af5d9d3371f303513180cefa6f86 (diff) |
Fix weak crypto issue in restconf adaptor
Added new capability to disable host name verification on a per-connection
basis in restapi-call-node and restconf adaptors, and use custom
hostname verifier to handle IP addresses and localhost as exception
cases.
Issue-ID: CCSDK-3196
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I379f3b5093b5ff46433a33821127670747e8efa6
Diffstat (limited to 'plugins/restconf-client')
-rw-r--r-- | plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java index 5b47cf5b6..d6b93f744 100644 --- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java +++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java @@ -24,6 +24,7 @@ import org.glassfish.jersey.media.sse.EventSource; import org.glassfish.jersey.media.sse.SseFeature; import org.onap.ccsdk.sli.core.sli.SvcLogicContext; import org.onap.ccsdk.sli.core.sli.SvcLogicException; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.onap.ccsdk.sli.plugins.restapicall.Parameters; import org.onap.ccsdk.sli.plugins.restapicall.RestapiCallNode; import org.onap.ccsdk.sli.plugins.restconfapicall.RestconfApiCallNode; @@ -142,7 +143,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { try { RestapiCallNode restapi = restconfApiCallNode.getRestapiCallNode(); p = RestapiCallNode.getParameters(paramMap, new Parameters()); - Client client = ignoreSslClient().register(SseFeature.class); + Client client = ignoreSslClient(p.disableHostVerification).register(SseFeature.class); target = restapi.addAuthType(client, p).target(url); } catch (SvcLogicException e) { log.error("Exception occured!", e); @@ -170,7 +171,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { // Note: Sonar complains about host name verification being // disabled here. This is necessary to handle devices using self-signed // certificates (where CA would be unknown) - so we are leaving this code as is. - private Client ignoreSslClient() { + private Client ignoreSslClient(boolean disableHostVerification) { SSLContext sslcontext = null; try { @@ -193,7 +194,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { throw new IllegalStateException(e); } - return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) -> true).build(); + return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new AcceptIpAddressHostNameVerifier(disableHostVerification)).build(); } } |