summaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorDan Timoney <dtimoney@att.com>2021-07-20 16:29:15 -0400
committerDan Timoney <dtimoney@att.com>2021-07-20 16:29:15 -0400
commitafb648cbb6e69725f5f0857f5429cf710c8a0243 (patch)
tree46edda5ecc25dc992084a668e725d646fa3978e6 /plugins
parent6dfa45c5b883af5d9d3371f303513180cefa6f86 (diff)
Fix weak crypto issue in restconf adaptor
Added new capability to disable host name verification on a per-connection basis in restapi-call-node and restconf adaptors, and use custom hostname verifier to handle IP addresses and localhost as exception cases. Issue-ID: CCSDK-3196 Signed-off-by: Dan Timoney <dtimoney@att.com> Change-Id: I379f3b5093b5ff46433a33821127670747e8efa6
Diffstat (limited to 'plugins')
-rwxr-xr-xplugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java1
-rwxr-xr-xplugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java3
-rw-r--r--plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java7
3 files changed, 7 insertions, 4 deletions
diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java
index 9b542af91..6e84a9c02 100755
--- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java
+++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/Parameters.java
@@ -53,4 +53,5 @@ public class Parameters {
public boolean multipartFormData;
public String multipartFile;
public String targetEntity;
+ public boolean disableHostVerification;
}
diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java
index f1aa2b266..e3192562d 100755
--- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java
+++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java
@@ -238,6 +238,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin {
p.multipartFormData = valueOf(parseParam(paramMap, "multipartFormData", false, "false"));
p.multipartFile = parseParam(paramMap, "multipartFile", false, null);
p.targetEntity = parseParam(paramMap, "targetEntity", false, null);
+ p.disableHostVerification = valueOf(parseParam(paramMap, "disableHostVerification", false, "true"));
return p;
}
@@ -925,7 +926,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin {
protected SSLContext createSSLContext(Parameters p) {
try (FileInputStream in = new FileInputStream(p.keyStoreFileName)) {
- HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier());
+ HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier(p.disableHostVerification));
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] pwd = p.keyStorePassword.toCharArray();
diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java
index 5b47cf5b6..d6b93f744 100644
--- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java
+++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java
@@ -24,6 +24,7 @@ import org.glassfish.jersey.media.sse.EventSource;
import org.glassfish.jersey.media.sse.SseFeature;
import org.onap.ccsdk.sli.core.sli.SvcLogicContext;
import org.onap.ccsdk.sli.core.sli.SvcLogicException;
+import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier;
import org.onap.ccsdk.sli.plugins.restapicall.Parameters;
import org.onap.ccsdk.sli.plugins.restapicall.RestapiCallNode;
import org.onap.ccsdk.sli.plugins.restconfapicall.RestconfApiCallNode;
@@ -142,7 +143,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin {
try {
RestapiCallNode restapi = restconfApiCallNode.getRestapiCallNode();
p = RestapiCallNode.getParameters(paramMap, new Parameters());
- Client client = ignoreSslClient().register(SseFeature.class);
+ Client client = ignoreSslClient(p.disableHostVerification).register(SseFeature.class);
target = restapi.addAuthType(client, p).target(url);
} catch (SvcLogicException e) {
log.error("Exception occured!", e);
@@ -170,7 +171,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin {
// Note: Sonar complains about host name verification being
// disabled here. This is necessary to handle devices using self-signed
// certificates (where CA would be unknown) - so we are leaving this code as is.
- private Client ignoreSslClient() {
+ private Client ignoreSslClient(boolean disableHostVerification) {
SSLContext sslcontext = null;
try {
@@ -193,7 +194,7 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin {
throw new IllegalStateException(e);
}
- return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier((s1, s2) -> true).build();
+ return ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new AcceptIpAddressHostNameVerifier(disableHostVerification)).build();
}
}