diff options
author | Krzysztof Gajewski <krzysztof.gajewski@nokia.com> | 2021-03-09 11:08:21 +0100 |
---|---|---|
committer | Krzysztof Gajewski <krzysztof.gajewski@nokia.com> | 2021-03-09 15:52:53 +0100 |
commit | b6f233f5ab3fae789e463af78e5360114ae9da3d (patch) | |
tree | 019e8319852f9a62a2566f1941e8386cad3ddc62 /datafile-app-server/src/main | |
parent | 9c88f794dcbd9dafef93544c1607c555e0eed840 (diff) |
Fix server hostname verification1.5.5
- make it configurable
- some small another sonar issues resolved
Issue-ID: DCAEGEN2-2656
Signed-off-by: Krzysztof Gajewski <krzysztof.gajewski@nokia.com>
Change-Id: I3012b60dbdfdb463d5adfd790df53953fe1f027f
Diffstat (limited to 'datafile-app-server/src/main')
5 files changed, 34 insertions, 13 deletions
diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java index b381c021..f11a85a0 100644 --- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java +++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/AppConfig.java @@ -39,7 +39,6 @@ import javax.validation.constraints.NotNull; import org.onap.dcaegen2.collectors.datafile.exceptions.DatafileTaskException; import org.onap.dcaegen2.collectors.datafile.http.HttpsClientConnectionManagerUtil; -import org.onap.dcaegen2.collectors.datafile.model.logging.MappedDiagnosticContext; import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsClient; import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsClientFactory; import org.onap.dcaegen2.services.sdk.rest.services.cbs.client.api.CbsRequests; @@ -94,17 +93,16 @@ public class AppConfig { */ public void initialize() { stop(); - Map<String, String> context = MappedDiagnosticContext.initializeTraceContext(); loadConfigurationFromFile(); - refreshConfigTask = createRefreshTask(context) // + refreshConfigTask = createRefreshTask() // .subscribe(e -> logger.info("Refreshed configuration data"), throwable -> logger.error("Configuration refresh terminated due to exception", throwable), () -> logger.error("Configuration refresh terminated")); } - Flux<AppConfig> createRefreshTask(Map<String, String> context) { + Flux<AppConfig> createRefreshTask() { return createCbsClientConfiguration() .flatMap(this::createCbsClient) .flatMapMany(this::periodicConfigurationUpdates) // @@ -173,8 +171,9 @@ public class AppConfig { return sftpConfiguration; } - private <R> Mono<R> onErrorResume(Throwable trowable) { - logger.error("Could not refresh application configuration {}", trowable.toString()); + private <R> Mono<R> onErrorResume(Throwable throwable) { + String throwableString = throwable.toString(); + logger.error("Could not refresh application configuration {}", throwableString); return Mono.empty(); } @@ -234,8 +233,10 @@ public class AppConfig { this.publishingConfigurations = publisherConfiguration; this.certificateConfiguration = certificateConfig; this.sftpConfiguration = sftpConfig; + HttpsClientConnectionManagerUtil.setupOrUpdate(certificateConfig.keyCert(), certificateConfig.keyPasswordPath(), - certificateConfig.trustedCa(), certificateConfig.trustedCaPasswordPath()); + certificateConfig.trustedCa(), certificateConfig.trustedCaPasswordPath(), + certificateConfig.httpsHostnameVerify()); } JsonElement getJsonElement(InputStream inputStream) { diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java index 1d8b6143..78be36d3 100644 --- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java +++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CertificateConfig.java @@ -1,6 +1,6 @@ /*- * ============LICENSE_START======================================================= - * Copyright (C) 2018 NOKIA Intellectual Property, 2019 Nordix Foundation. All rights reserved. + * Copyright (C) 2018-2021 NOKIA Intellectual Property, 2019 Nordix Foundation. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,4 +47,7 @@ public abstract class CertificateConfig implements Serializable { @Value.Parameter @Value.Redacted public abstract String trustedCaPasswordPath(); + + @Value.Parameter + public abstract Boolean httpsHostnameVerify(); } diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java index d6b86433..025166c2 100644 --- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java +++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/configuration/CloudConfigParser.java @@ -194,6 +194,7 @@ public class CloudConfigParser { .keyPasswordPath(getAsString(jsonObject, "dmaap.certificateConfig.keyPasswordPath")) .trustedCa(getAsString(jsonObject, "dmaap.certificateConfig.trustedCa")) .trustedCaPasswordPath(getAsString(jsonObject, "dmaap.certificateConfig.trustedCaPasswordPath")) // + .httpsHostnameVerify(getAsBooleanOrDefault(jsonObject, "dmaap.certificateConfig.httpsHostnameVerify", Boolean.TRUE)) .build(); } @@ -222,6 +223,14 @@ public class CloudConfigParser { return get(obj, memberName).getAsBoolean(); } + private static @NotNull Boolean getAsBooleanOrDefault(JsonObject obj, String memberName, Boolean def) { + try { + return get(obj, memberName).getAsBoolean(); + } catch (DatafileTaskException e) { + return def; + } + } + private static @NotNull JsonObject getAsJson(JsonObject obj, String memberName) throws DatafileTaskException { return get(obj, memberName).getAsJsonObject(); } diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java index c2d72f67..9bb01183 100644 --- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java +++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/DfcHttpsClient.java @@ -36,6 +36,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.net.ssl.SSLHandshakeException; +import javax.net.ssl.SSLPeerUnverifiedException; import java.io.IOException; import java.io.InputStream; import java.net.UnknownHostException; @@ -138,7 +139,8 @@ public class DfcHttpsClient implements FileCollectClient { throw new NonRetryableDatafileTaskException(HttpUtils.retryableResponse(getResponseCode(httpResponse))); } throw new DatafileTaskException(HttpUtils.nonRetryableResponse(getResponseCode(httpResponse))); - } catch (ConnectTimeoutException | UnknownHostException | HttpHostConnectException | SSLHandshakeException e) { + } catch (ConnectTimeoutException | UnknownHostException | HttpHostConnectException | SSLHandshakeException + | SSLPeerUnverifiedException e) { throw new NonRetryableDatafileTaskException( "Unable to get file from xNF. No retry attempts will be done.", e); } diff --git a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java index e60ec0f4..25638562 100644 --- a/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java +++ b/datafile-app-server/src/main/java/org/onap/dcaegen2/collectors/datafile/http/HttpsClientConnectionManagerUtil.java @@ -18,6 +18,8 @@ package org.onap.dcaegen2.collectors.datafile.http; import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; +import org.apache.http.conn.ssl.DefaultHostnameVerifier; +import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.http.ssl.SSLContextBuilder; @@ -28,6 +30,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.core.io.FileSystemResource; +import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.io.File; import java.io.IOException; @@ -62,19 +65,19 @@ public class HttpsClientConnectionManagerUtil { } public static void setupOrUpdate(String keyCertPath, String keyCertPasswordPath, String trustedCaPath, - String trustedCaPasswordPath) throws DatafileTaskException { + String trustedCaPasswordPath, Boolean useHostnameVerifier) throws DatafileTaskException { synchronized (HttpsClientConnectionManagerUtil.class) { if (connectionManager != null) { connectionManager.close(); connectionManager = null; } - setup(keyCertPath, keyCertPasswordPath, trustedCaPath, trustedCaPasswordPath); + setup(keyCertPath, keyCertPasswordPath, trustedCaPath, trustedCaPasswordPath, useHostnameVerifier); } logger.trace("HttpsConnectionManager setup or updated"); } private static void setup(String keyCertPath, String keyCertPasswordPath, String trustedCaPath, - String trustedCaPasswordPath) throws DatafileTaskException { + String trustedCaPasswordPath, Boolean useHostnameVerifier) throws DatafileTaskException { try { SSLContextBuilder sslBuilder = SSLContexts.custom(); sslBuilder = supplyKeyInfo(keyCertPath, keyCertPasswordPath, sslBuilder); @@ -82,9 +85,12 @@ public class HttpsClientConnectionManagerUtil { SSLContext sslContext = sslBuilder.build(); + HostnameVerifier hostnameVerifier = (Boolean.TRUE.equals(useHostnameVerifier)) ? new DefaultHostnameVerifier() : + NoopHostnameVerifier.INSTANCE; + SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[] {"TLSv1.2"}, null, - (hostname, session) -> true); + hostnameVerifier); Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create().register("https", sslConnectionSocketFactory) |