Fix server hostname verification1.5.5

- make it configurable - some small another sonar issues resolved Issue-ID: DCAEGEN2-2656 Signed-off-by: Krzysztof Gajewski <krzysztof.gajewski@nokia.com> Change-Id: I3012b60dbdfdb463d5adfd790df53953fe1f027f
author: Krzysztof Gajewski <krzysztof.gajewski@nokia.com> 2021-03-09 11:08:21 +0100
committer: Krzysztof Gajewski <krzysztof.gajewski@nokia.com> 2021-03-09 15:52:53 +0100
commit: b6f233f5ab3fae789e463af78e5360114ae9da3d (patch)
tree: 019e8319852f9a62a2566f1941e8386cad3ddc62 /datafile-app-server/src/main/java
parent: 9c88f794dcbd9dafef93544c1607c555e0eed840 (diff)
5 files changed, 34 insertions, 13 deletions
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java
index b381c021..f11a85a0 100644
--- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java
+++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java
@@ -39,7 +39,6 @@ import javax.validation.constraints.NotNull;
 
 import org.onap.dcaegen2.collectors.datafile.exceptions.DatafileTaskException;
 import org.onap.dcaegen2.collectors.datafile.http.HttpsClientConnectionManagerUtil;
-import org.onap.dcaegen2.collectors.datafile.model.logging.MappedDiagnosticContext;
 import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsClient;
 import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsClientFactory;
 import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsRequests;
@@ -94,17 +93,16 @@ public class AppConfig {
      */
     public void initialize() {
         stop();
-        Map<String, String> context = MappedDiagnosticContext.initializeTraceContext();
 
         loadConfigurationFromFile();
 
-        refreshConfigTask = createRefreshTask(context) //
+        refreshConfigTask = createRefreshTask() //
             .subscribe(e -> logger.info("Refreshed configuration data"),
                 throwable -> logger.error("Configuration refresh terminated due to exception", throwable),
                 () -> logger.error("Configuration refresh terminated"));
     }
 
-    Flux<AppConfig> createRefreshTask(Map<String, String> context) {
+    Flux<AppConfig> createRefreshTask() {
         return createCbsClientConfiguration()
             .flatMap(this::createCbsClient)
             .flatMapMany(this::periodicConfigurationUpdates) //
@@ -173,8 +171,9 @@ public class AppConfig {
         return sftpConfiguration;
     }
 
-    private <R> Mono<R> onErrorResume(Throwable trowable) {
-        logger.error("Could not refresh application configuration {}", trowable.toString());
+    private <R> Mono<R> onErrorResume(Throwable throwable) {
+        String throwableString = throwable.toString();
+        logger.error("Could not refresh application configuration {}", throwableString);
         return Mono.empty();
     }
 
@@ -234,8 +233,10 @@ public class AppConfig {
         this.publishingConfigurations = publisherConfiguration;
         this.certificateConfiguration = certificateConfig;
         this.sftpConfiguration = sftpConfig;
+
         HttpsClientConnectionManagerUtil.setupOrUpdate(certificateConfig.keyCert(), certificateConfig.keyPasswordPath(),
-                certificateConfig.trustedCa(), certificateConfig.trustedCaPasswordPath());
+            certificateConfig.trustedCa(), certificateConfig.trustedCaPasswordPath(),
+            certificateConfig.httpsHostnameVerify());
     }
 
     JsonElement getJsonElement(InputStream inputStream) {
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java
index 1d8b6143..78be36d3 100644
--- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java
+++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java
@@ -1,6 +1,6 @@
 /*-
  * ============LICENSE_START=======================================================
- * Copyright (C) 2018 NOKIA Intellectual Property, 2019 Nordix Foundation. All rights reserved.
+ * Copyright (C) 2018-2021 NOKIA Intellectual Property, 2019 Nordix Foundation. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,4 +47,7 @@ public abstract class CertificateConfig implements Serializable {
     @Value.Parameter
     @Value.Redacted
     public abstract String trustedCaPasswordPath();
+
+    @Value.Parameter
+    public abstract Boolean httpsHostnameVerify();
 }
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java
index d6b86433..025166c2 100644
--- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java
+++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java
@@ -194,6 +194,7 @@ public class CloudConfigParser {
             .keyPasswordPath(getAsString(jsonObject, "dmaap.certificateConfig.keyPasswordPath"))
             .trustedCa(getAsString(jsonObject, "dmaap.certificateConfig.trustedCa"))
             .trustedCaPasswordPath(getAsString(jsonObject, "dmaap.certificateConfig.trustedCaPasswordPath")) //
+            .httpsHostnameVerify(getAsBooleanOrDefault(jsonObject, "dmaap.certificateConfig.httpsHostnameVerify", Boolean.TRUE))
             .build();
     }
 
@@ -222,6 +223,14 @@ public class CloudConfigParser {
         return get(obj, memberName).getAsBoolean();
     }
 
+    private static @NotNull Boolean getAsBooleanOrDefault(JsonObject obj, String memberName, Boolean def) {
+        try {
+            return get(obj, memberName).getAsBoolean();
+        } catch (DatafileTaskException e) {
+            return def;
+        }
+    }
+
     private static @NotNull JsonObject getAsJson(JsonObject obj, String memberName) throws DatafileTaskException {
         return get(obj, memberName).getAsJsonObject();
     }
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java
index c2d72f67..9bb01183 100644
--- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java
+++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java
@@ -36,6 +36,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLPeerUnverifiedException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.UnknownHostException;
@@ -138,7 +139,8 @@ public class DfcHttpsClient implements FileCollectClient {
                 throw new NonRetryableDatafileTaskException(HttpUtils.retryableResponse(getResponseCode(httpResponse)));
             }
             throw new DatafileTaskException(HttpUtils.nonRetryableResponse(getResponseCode(httpResponse)));
-        } catch (ConnectTimeoutException | UnknownHostException | HttpHostConnectException | SSLHandshakeException e) {
+        } catch (ConnectTimeoutException | UnknownHostException | HttpHostConnectException | SSLHandshakeException
+                | SSLPeerUnverifiedException e) {
             throw new NonRetryableDatafileTaskException(
                     "Unable to get file from xNF. No retry attempts will be done.", e);
         }
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java
index e60ec0f4..25638562 100644
--- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java
+++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java
@@ -18,6 +18,8 @@ package org.onap.dcaegen2.collectors.datafile.http;
 import org.apache.http.config.Registry;
 import org.apache.http.config.RegistryBuilder;
 import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.http.ssl.SSLContextBuilder;
@@ -28,6 +30,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.io.FileSystemResource;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import java.io.File;
 import java.io.IOException;
@@ -62,19 +65,19 @@ public class HttpsClientConnectionManagerUtil {
     }
 
     public static void setupOrUpdate(String keyCertPath, String keyCertPasswordPath, String trustedCaPath,
-            String trustedCaPasswordPath) throws DatafileTaskException {
+            String trustedCaPasswordPath, Boolean useHostnameVerifier) throws DatafileTaskException {
         synchronized (HttpsClientConnectionManagerUtil.class) {
             if (connectionManager != null) {
                 connectionManager.close();
                 connectionManager = null;
             }
-            setup(keyCertPath, keyCertPasswordPath, trustedCaPath, trustedCaPasswordPath);
+            setup(keyCertPath, keyCertPasswordPath, trustedCaPath, trustedCaPasswordPath, useHostnameVerifier);
         }
         logger.trace("HttpsConnectionManager setup or updated");
     }
 
     private static void setup(String keyCertPath, String keyCertPasswordPath, String trustedCaPath,
-          String trustedCaPasswordPath) throws DatafileTaskException {
+          String trustedCaPasswordPath, Boolean useHostnameVerifier) throws DatafileTaskException {
         try {
             SSLContextBuilder sslBuilder = SSLContexts.custom();
             sslBuilder = supplyKeyInfo(keyCertPath, keyCertPasswordPath, sslBuilder);
@@ -82,9 +85,12 @@ public class HttpsClientConnectionManagerUtil {
 
             SSLContext sslContext = sslBuilder.build();
 
+            HostnameVerifier hostnameVerifier = (Boolean.TRUE.equals(useHostnameVerifier)) ? new DefaultHostnameVerifier() :
+                    NoopHostnameVerifier.INSTANCE;
+
             SSLConnectionSocketFactory sslConnectionSocketFactory =
                 new SSLConnectionSocketFactory(sslContext, new String[] {"TLSv1.2"}, null,
-                    (hostname, session) -> true);
+                        hostnameVerifier);
 
             Registry<ConnectionSocketFactory> socketFactoryRegistry =
                 RegistryBuilder.<ConnectionSocketFactory>create().register("https", sslConnectionSocketFactory)
author	Krzysztof Gajewski <krzysztof.gajewski@nokia.com>	2021-03-09 11:08:21 +0100
committer	Krzysztof Gajewski <krzysztof.gajewski@nokia.com>	2021-03-09 15:52:53 +0100
commit	b6f233f5ab3fae789e463af78e5360114ae9da3d (patch)
tree	019e8319852f9a62a2566f1941e8386cad3ddc62 /datafile-app-server/src/main/java
parent	9c88f794dcbd9dafef93544c1607c555e0eed840 (diff)