From 4e4988af6aa561d4950711322941cab8c2d2c895 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Fri, 9 Jul 2021 10:20:56 -0400 Subject: Add host name verifier that accepts IP addresses Add a host name verifier that handles IP addresses as special cases, so that they can be safely ignored in lab environments Issue-ID: CCSDK-3196 Signed-off-by: Dan Timoney Change-Id: I83cec989102620b52a227b7ca71efb92227d834c --- .../common/AcceptIpAddressHostNameVerifier.java | 94 ++++++++++++++++++++++ .../ccsdk/sli/core/utils/common/EnvProperties.java | 31 +++++++ .../AcceptIpAddressHostNameVerifierTest.java | 78 ++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java create mode 100644 core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java (limited to 'core') diff --git a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java new file mode 100644 index 000000000..25686d542 --- /dev/null +++ b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifier.java @@ -0,0 +1,94 @@ +/*- + * ============LICENSE_START======================================================= + * onap + * ================================================================================ + * Copyright (C) 2021 AT&T + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + + package org.onap.ccsdk.sli.core.utils.common; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLSession; + +/** + * HostnameVerifier that accepts IP addresses without verification, but + * does default host name verification on true FQDNs + */ +public class AcceptIpAddressHostNameVerifier implements HostnameVerifier { + + public static final String DISABLE_HOSTNAME_VERIFICATION = "org.onap.ccsdk.host.verification.disable"; + + public static final String IPV4_REGEX = "\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_HEX4DECCOMPRESSED_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?) ::((?:[0-9A-Fa-f]{1,4}:)*)(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_6HEX4DEC_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}:){6,6})(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"; + public static final String IPV6_HEXCOMPRESSED_REGEX = "\\A((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)\\z"; + public static final String IPV6_REGEX = "\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z"; + + boolean disableHostVerification = false; + + public AcceptIpAddressHostNameVerifier() { + // Allow for host name verification to be disabled if + // necessary (for example, if self-signed certificates must + // be supported) + String disableHostVerification = System.getProperty(DISABLE_HOSTNAME_VERIFICATION, "false"); + + if ("true".equalsIgnoreCase(disableHostVerification)) { + this.disableHostVerification = true; + } else { + this.disableHostVerification = false; + } + } + + public AcceptIpAddressHostNameVerifier(boolean disableHostVerification) { + this.disableHostVerification = disableHostVerification; + } + + @Override + public boolean verify(String hostName, SSLSession session) { + + if (disableHostVerification) { + return true; + } + + // Null host name should never happen, but better to be safe + if (hostName == null) { + return false; + } + + // If "hostName" is an IP address, accept it + if (hostName.matches(IPV4_REGEX) || + hostName.matches(IPV6_REGEX) || + hostName.matches(IPV6_HEX4DECCOMPRESSED_REGEX) || + hostName.matches(IPV6_6HEX4DEC_REGEX) || + hostName.matches(IPV6_HEXCOMPRESSED_REGEX)) + { + return true; + } + + // Handle localhost as special case + if (hostName.equals("localhost")) { + return(true); + } + + // Host name is not an IP address - perform default host + // name verification. + HostnameVerifier defaultHv = HttpsURLConnection.getDefaultHostnameVerifier(); + return(defaultHv.verify(hostName, session)); + } + + +} diff --git a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java index 0dca28427..463191fb2 100644 --- a/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java +++ b/core/utils/provider/src/main/java/org/onap/ccsdk/sli/core/utils/common/EnvProperties.java @@ -1,3 +1,23 @@ +/*- + * ============LICENSE_START======================================================= + * onap + * ================================================================================ + * Copyright (C) 2021 AT&T + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.ccsdk.sli.core.utils.common; import java.io.IOException; @@ -8,6 +28,17 @@ import java.util.Properties; import java.util.regex.Matcher; import java.util.regex.Pattern; +/** + * Drop-in replacement for java.util.Properties that allows env + * variables to be used as settings for property files. For example, + * + * my.property = ${MY_PROPERTY} + * + * A default value can also be provided using :- notation. For example, + * + * my.property = ${MY_PROPERTY:-defaultValue} + */ + public class EnvProperties extends Properties { @Override diff --git a/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java b/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java new file mode 100644 index 000000000..85fcdfafd --- /dev/null +++ b/core/utils/provider/src/test/java/org/onap/ccsdk/sli/core/utils/common/AcceptIpAddressHostNameVerifierTest.java @@ -0,0 +1,78 @@ +package org.onap.ccsdk.sli.core.utils.common; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLSession; + +import org.junit.Test; +import org.mockito.Mockito; + +public class AcceptIpAddressHostNameVerifierTest { + + @Test + public void testVerify() { + HostnameVerifier hv = new AcceptIpAddressHostNameVerifier(); + SSLSession sslSession = Mockito.mock(SSLSession.class); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is not accepted (since there is no certificate) + assertFalse(hv.verify("bogus.org", sslSession)); + + // Repeat tests with verification disabled via arg to constructor + hv = new AcceptIpAddressHostNameVerifier(true); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is accepted (since verification is disabled) + assertTrue(hv.verify("bogus.org", sslSession)); + + // Repeat tests with verification disabled via arg to constructor + System.setProperty(AcceptIpAddressHostNameVerifier.DISABLE_HOSTNAME_VERIFICATION, "true"); + hv = new AcceptIpAddressHostNameVerifier(); + + // Test that IPv4 style address is accepted + assertTrue(hv.verify("127.0.0.1", sslSession)); + + // Test that IPv6 style addresses are also accepted + assertTrue(hv.verify("2001:db8:3333:4444:5555:6666:7777:8888", sslSession)); + assertTrue(hv.verify("2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF", sslSession)); + assertTrue(hv.verify("2001:db8::", sslSession)); + assertTrue(hv.verify("::1234:5678", sslSession)); + assertTrue(hv.verify("2001:db8::1234:5678", sslSession)); + assertTrue(hv.verify("::1", sslSession)); + + // Test that localhost is accepted + assertTrue(hv.verify("localhost", sslSession)); + + // Test that FQDN is accepted (since verification is disabled) + assertTrue(hv.verify("bogus.org", sslSession)); + } + +} -- cgit 1.2.3-korg