From 4e4988af6aa561d4950711322941cab8c2d2c895 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Fri, 9 Jul 2021 10:20:56 -0400 Subject: Add host name verifier that accepts IP addresses Add a host name verifier that handles IP addresses as special cases, so that they can be safely ignored in lab environments Issue-ID: CCSDK-3196 Signed-off-by: Dan Timoney Change-Id: I83cec989102620b52a227b7ca71efb92227d834c --- .../adaptors/base/http/AbstractHttpAdapter.java | 9 +-- .../sli/adaptors/resource/mdsal/RestService.java | 5 +- adaptors/message-router/consumer/provider/pom.xml | 5 ++ .../provider/impl/AbstractBaseConsumer.java | 10 +-- .../common/AcceptIpAddressHostNameVerifier.java | 94 ++++++++++++++++++++++ .../ccsdk/sli/core/utils/common/EnvProperties.java | 31 +++++++ .../AcceptIpAddressHostNameVerifierTest.java | 78 ++++++++++++++++++ .../northbound/dmaapclient/SdncOdlConnection.java | 9 +-- .../northbound/uebclient/SdncOdlConnection.java | 8 +- .../sli/plugins/restapicall/RestapiCallNode.java | 7 +- .../restconfdiscovery/RestconfDiscoveryNode.java | 3 + 11 files changed, 229 insertions(+), 30 deletions(-) create mode 100644 core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java create mode 100644 core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java diff --git a/adaptors/base/http/provider/src/main/java/org/onap/ccsdk/sli/adaptors/base/http/AbstractHttpAdapter.java b/adaptors/base/http/provider/src/main/java/org/onap/ccsdk/sli/adaptors/base/http/AbstractHttpAdapter.java index 65cbdd764..0950ceba8 100644 --- a/adaptors/base/http/provider/src/main/java/org/onap/ccsdk/sli/adaptors/base/http/AbstractHttpAdapter.java +++ b/adaptors/base/http/provider/src/main/java/org/onap/ccsdk/sli/adaptors/base/http/AbstractHttpAdapter.java @@ -10,6 +10,7 @@ import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLSession; import javax.ws.rs.client.ClientBuilder; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.onap.ccsdk.sli.core.utils.common.EnvProperties; import org.onap.logging.filter.base.MetricLogClientFilter; import org.onap.logging.filter.base.PayloadLoggingClientFilter; @@ -32,12 +33,8 @@ public abstract class AbstractHttpAdapter { } private void defaultHostNameVerifier() { - clientBuilder.hostnameVerifier(new HostnameVerifier() { - @Override - public boolean verify(String hostname, SSLSession session) { - return true; - } - }); + // Perform host name verification EXCEPT if 'host' is IP address + clientBuilder.hostnameVerifier(new AcceptIpAddressHostNameVerifier()); } protected void enableMetricLogging() { diff --git a/adaptors/mdsal-resource/provider/src/main/java/org/onap/ccsdk/sli/adaptors/resource/mdsal/RestService.java b/adaptors/mdsal-resource/provider/src/main/java/org/onap/ccsdk/sli/adaptors/resource/mdsal/RestService.java index ebddc24ae..7f90ab43d 100644 --- a/adaptors/mdsal-resource/provider/src/main/java/org/onap/ccsdk/sli/adaptors/resource/mdsal/RestService.java +++ b/adaptors/mdsal-resource/provider/src/main/java/org/onap/ccsdk/sli/adaptors/resource/mdsal/RestService.java @@ -22,6 +22,7 @@ package org.onap.ccsdk.sli.adaptors.resource.mdsal; import org.apache.commons.codec.binary.Base64; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Document; @@ -90,8 +91,8 @@ public class RestService { try { HttpURLConnection conn = getRestConnection(fullUrl, method); if (conn instanceof HttpsURLConnection) { - HostnameVerifier hostnameVerifier = (hostname, session) -> true; - ((HttpsURLConnection) conn).setHostnameVerifier(hostnameVerifier); + // Safely disable host name verification if host is an IP address or 'localhost' + ((HttpsURLConnection) conn).setHostnameVerifier(new AcceptIpAddressHostNameVerifier()); } // Write message diff --git a/adaptors/message-router/consumer/provider/pom.xml b/adaptors/message-router/consumer/provider/pom.xml index 6eb580373..c3b6ef35b 100755 --- a/adaptors/message-router/consumer/provider/pom.xml +++ b/adaptors/message-router/consumer/provider/pom.xml @@ -27,6 +27,11 @@ com.google.code.gson gson + + org.onap.ccsdk.sli.core + utils-provider + ${project.version} + diff --git a/adaptors/message-router/consumer/provider/src/main/java/org/onap/ccsdk/sli/adaptors/messagerouter/consumer/provider/impl/AbstractBaseConsumer.java b/adaptors/message-router/consumer/provider/src/main/java/org/onap/ccsdk/sli/adaptors/messagerouter/consumer/provider/impl/AbstractBaseConsumer.java index 8937f7b91..7924137ad 100755 --- a/adaptors/message-router/consumer/provider/src/main/java/org/onap/ccsdk/sli/adaptors/messagerouter/consumer/provider/impl/AbstractBaseConsumer.java +++ b/adaptors/message-router/consumer/provider/src/main/java/org/onap/ccsdk/sli/adaptors/messagerouter/consumer/provider/impl/AbstractBaseConsumer.java @@ -36,6 +36,7 @@ import javax.net.ssl.SSLSession; import org.onap.ccsdk.sli.adaptors.messagerouter.consumer.api.ConsumerApi; import org.onap.ccsdk.sli.adaptors.messagerouter.consumer.api.RequestHandler; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -163,15 +164,10 @@ public abstract class AbstractBaseConsumer implements ConsumerApi { httpUrlConnection.setConnectTimeout(connectTimeout); httpUrlConnection.setReadTimeout(readTimeout); - // ignore hostname errors when dealing with HTTPS connections + // Safely ignore hostname errors if host is an ip address or localhost if (httpUrlConnection instanceof HttpsURLConnection) { HttpsURLConnection conn = (HttpsURLConnection) httpUrlConnection; - conn.setHostnameVerifier(new HostnameVerifier() { - @Override - public boolean verify(String arg0, SSLSession arg1) { - return true; - } - }); + conn.setHostnameVerifier(new AcceptIpAddressHostNameVerifier()); } return httpUrlConnection; } diff --git a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java new file mode 100644 index 000000000..25686d542 --- /dev/null +++ b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java @@ -0,0 +1,94 @@ +/*- + * ============LICENSE_START======================================================= + * onap + * ================================================================================ + * Copyright (C) 2021 AT&T + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + + package org.onap.ccsdk.sli.core.utils.common; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; + +/** + * HostnameVerifier that accepts IP addresses without verification, but + * does default host name verification on true FQDNs + */ +public class AcceptIpAddressHostNameVerifier implements HostnameVerifier { + + public static final String DISABLE_HOSTNAME_VERIFICATION = "org.onap.ccsdk.host.verification.disable"; + + public static final String IPV4_REGEX = "\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_HEX4DECCOMPRESSED_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?) ::((?:[0-9A-Fa-f]{1,4}:)*)(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_6HEX4DEC_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}:){6,6})(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_HEXCOMPRESSED_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)\\z"; + public static final String IPV6_REGEX = "\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z"; + + boolean disableHostVerification = false; + + public AcceptIpAddressHostNameVerifier() { + // Allow for host name verification to be disabled if + // necessary (for example, if self-signed certificates must + // be supported) + String disableHostVerification = System.getProperty(DISABLE_HOSTNAME_VERIFICATION, "false"); + + if ("true".equalsIgnoreCase(disableHostVerification)) { + this.disableHostVerification = true; + } else { + this.disableHostVerification = false; + } + } + + public AcceptIpAddressHostNameVerifier(boolean disableHostVerification) { + this.disableHostVerification = disableHostVerification; + } + + @Override + public boolean verify(String hostName, SSLSession session) { + + if (disableHostVerification) { + return true; + } + + // Null host name should never happen, but better to be safe + if (hostName == null) { + return false; + } + + // If "hostName" is an IP address, accept it + if (hostName.matches(IPV4_REGEX) || + hostName.matches(IPV6_REGEX) || + hostName.matches(IPV6_HEX4DECCOMPRESSED_REGEX) || + hostName.matches(IPV6_6HEX4DEC_REGEX) || + hostName.matches(IPV6_HEXCOMPRESSED_REGEX)) + { + return true; + } + + // Handle localhost as special case + if (hostName.equals("localhost")) { + return(true); + } + + // Host name is not an IP address - perform default host + // name verification. + HostnameVerifier defaultHv = HttpsURLConnection.getDefaultHostnameVerifier(); + return(defaultHv.verify(hostName, session)); + } + + +} diff --git a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java index 0dca28427..463191fb2 100644 --- a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java +++ b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java @@ -1,3 +1,23 @@ +/*- + * ============LICENSE_START======================================================= + * onap + * ================================================================================ + * Copyright (C) 2021 AT&T + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.ccsdk.sli.core.utils.common; import java.io.IOException; @@ -8,6 +28,17 @@ import java.util.Properties; import java.util.regex.Matcher; import java.util.regex.Pattern; +/** + * Drop-in replacement for java.util.Properties that allows env + * variables to be used as settings for property files. For example, + * + * my.property = ${MY_PROPERTY} + * + * A default value can also be provided using :- notation. For example, + * + * my.property = ${MY_PROPERTY:-defaultValue} + */ + public class EnvProperties extends Properties { @Override diff --git a/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java b/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java new file mode 100644 index 000000000..85fcdfafd --- /dev/null +++ b/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java @@ -0,0 +1,78 @@ +package org.onap.ccsdk.sli.core.utils.common; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLSession; + +import org.junit.Test; +import org.mockito.Mockito; + +public class AcceptIpAddressHostNameVerifierTest { + + @Test + public void testVerify() { + HostnameVerifier hv = new AcceptIpAddressHostNameVerifier(); + SSLSession sslSession = Mockito.mock(SSLSession.class); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is not accepted (since there is no certificate) + assertFalse(hv.verify("bogus.org", sslSession)); + + // Repeat tests with verification disabled via arg to constructor + hv = new AcceptIpAddressHostNameVerifier(true); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is accepted (since verification is disabled) + assertTrue(hv.verify("bogus.org", sslSession)); + + // Repeat tests with verification disabled via arg to constructor + System.setProperty(AcceptIpAddressHostNameVerifier.DISABLE_HOSTNAME_VERIFICATION, "true"); + hv = new AcceptIpAddressHostNameVerifier(); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is accepted (since verification is disabled) + assertTrue(hv.verify("bogus.org", sslSession)); + } + +} diff --git a/northbound/dmaap-listener/src/main/java/org/onap/ccsdk/sli/northbound/dmaapclient/SdncOdlConnection.java b/northbound/dmaap-listener/src/main/java/org/onap/ccsdk/sli/northbound/dmaapclient/SdncOdlConnection.java index 6eeef9b48..681502021 100644 --- a/northbound/dmaap-listener/src/main/java/org/onap/ccsdk/sli/northbound/dmaapclient/SdncOdlConnection.java +++ b/northbound/dmaap-listener/src/main/java/org/onap/ccsdk/sli/northbound/dmaapclient/SdncOdlConnection.java @@ -33,6 +33,7 @@ import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLSession; import org.apache.commons.codec.binary.Base64; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -106,12 +107,8 @@ public class SdncOdlConnection { httpConn.setUseCaches(false); if (httpConn instanceof HttpsURLConnection) { - HostnameVerifier hostnameVerifier = new HostnameVerifier() { - @Override - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; + // Safely disable host name verification if host is an ip address or 'localhost' + HostnameVerifier hostnameVerifier = new AcceptIpAddressHostNameVerifier(); ((HttpsURLConnection) httpConn).setHostnameVerifier(hostnameVerifier); } diff --git a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncOdlConnection.java b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncOdlConnection.java index 78d9c5bc9..79bd2235f 100644 --- a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncOdlConnection.java +++ b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncOdlConnection.java @@ -35,6 +35,7 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLSession; import org.apache.commons.codec.binary.Base64; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -110,12 +111,7 @@ public class SdncOdlConnection { httpConn.setUseCaches(false); if (httpConn instanceof HttpsURLConnection) { - HostnameVerifier hostnameVerifier = new HostnameVerifier() { - @Override - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; + HostnameVerifier hostnameVerifier = new AcceptIpAddressHostNameVerifier(); ((HttpsURLConnection) httpConn).setHostnameVerifier(hostnameVerifier); } diff --git a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java index ad74b02de..f1aa2b266 100755 --- a/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java +++ b/plugins/restapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/restapicall/RestapiCallNode.java @@ -81,6 +81,7 @@ import org.glassfish.jersey.media.multipart.file.FileDataBodyPart; import org.onap.ccsdk.sli.core.sli.SvcLogicContext; import org.onap.ccsdk.sli.core.sli.SvcLogicException; import org.onap.ccsdk.sli.core.sli.SvcLogicJavaPlugin; +import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier; import org.onap.ccsdk.sli.core.utils.common.EnvProperties; import org.onap.logging.filter.base.HttpURLConnectionMetricUtil; import org.onap.logging.filter.base.MetricLogClientFilter; @@ -795,9 +796,9 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { Client client; if (ssl != null) { HttpsURLConnection.setDefaultSSLSocketFactory(ssl.getSocketFactory()); - client = ClientBuilder.newBuilder().sslContext(ssl).hostnameVerifier((s, sslSession) -> true).build(); + client = ClientBuilder.newBuilder().sslContext(ssl).hostnameVerifier(new AcceptIpAddressHostNameVerifier()).build(); } else { - client = ClientBuilder.newBuilder().hostnameVerifier((s, sslSession) -> true).build(); + client = ClientBuilder.newBuilder().hostnameVerifier(new AcceptIpAddressHostNameVerifier()).build(); } setClientTimeouts(client); @@ -924,7 +925,7 @@ public class RestapiCallNode implements SvcLogicJavaPlugin { protected SSLContext createSSLContext(Parameters p) { try (FileInputStream in = new FileInputStream(p.keyStoreFileName)) { - HttpsURLConnection.setDefaultHostnameVerifier((string, ssls) -> true); + HttpsURLConnection.setDefaultHostnameVerifier(new AcceptIpAddressHostNameVerifier()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); KeyStore ks = KeyStore.getInstance("PKCS12"); char[] pwd = p.keyStorePassword.toCharArray(); diff --git a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java index cf69d7a3c..5b47cf5b6 100644 --- a/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java +++ b/plugins/restconf-client/provider/src/main/java/org/onap/ccsdk/sli/plugins/restconfdiscovery/RestconfDiscoveryNode.java @@ -167,6 +167,9 @@ public class RestconfDiscoveryNode implements SvcLogicDiscoveryPlugin { log.info("Closed connection to SSE source"); } + // Note: Sonar complains about host name verification being + // disabled here. This is necessary to handle devices using self-signed + // certificates (where CA would be unknown) - so we are leaving this code as is. private Client ignoreSslClient() { SSLContext sslcontext = null; -- cgit 1.2.3-korg