diff options
author | kjaniak <kornel.janiak@nokia.com> | 2018-07-17 11:50:10 +0200 |
---|---|---|
committer | Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-08-03 07:32:52 +0200 |
commit | 0d15767178ffff59009de51d3737883aa81df2a6 (patch) | |
tree | c1f8cc00ca873597a7e5014fc75e3db8b957a45d /hv-collector-core | |
parent | 40c5abeac588ca6c13477675960c94a97dcdeb15 (diff) |
Add command line option to disable SSL/TLS
Closes ONAP-508
Change-Id: If6c3935ede7b00dea9b36747c6cd1422c1c8d330
Signed-off-by: kjaniak <kornel.janiak@nokia.com>
Issue-ID: DCAEGEN2-601
Diffstat (limited to 'hv-collector-core')
4 files changed, 75 insertions, 36 deletions
diff --git a/hv-collector-core/pom.xml b/hv-collector-core/pom.xml index 18657316..cf99867f 100644 --- a/hv-collector-core/pom.xml +++ b/hv-collector-core/pom.xml @@ -83,6 +83,10 @@ <artifactId>arrow-effects</artifactId> </dependency> <dependency> + <groupId>io.arrow-kt</groupId> + <artifactId>arrow-core</artifactId> + </dependency> + <dependency> <groupId>io.projectreactor</groupId> <artifactId>reactor-core</artifactId> </dependency> diff --git a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt index e9985766..61e1ebff 100644 --- a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt +++ b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt @@ -19,7 +19,9 @@ */ package org.onap.dcae.collectors.veshv.impl.socket +import arrow.core.Option import arrow.effects.IO +import io.netty.handler.ssl.SslContext import org.onap.dcae.collectors.veshv.boundary.CollectorProvider import org.onap.dcae.collectors.veshv.boundary.Server import org.onap.dcae.collectors.veshv.boundary.ServerHandle @@ -54,8 +56,9 @@ internal class NettyTcpServer(private val serverConfig: ServerConfiguration, } private fun configureServer(opts: ServerOptions.Builder<*>) { + val sslContext: Option<SslContext> = sslContextFactory.createSslContext(serverConfig.securityConfiguration) + if (sslContext.isDefined()) opts.sslContext(sslContext.orNull()) opts.port(serverConfig.port) - opts.sslContext(sslContextFactory.createSslContext(serverConfig.securityConfiguration)) } private fun handleConnection(nettyInbound: NettyInbound): Mono<Void> { diff --git a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt index b6fb1cf8..0dce0d61 100644 --- a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt +++ b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt @@ -19,6 +19,9 @@ */ package org.onap.dcae.collectors.veshv.impl.socket +import arrow.core.None +import arrow.core.Option +import arrow.core.Some import io.netty.handler.ssl.ClientAuth import io.netty.handler.ssl.SslContext import io.netty.handler.ssl.SslContextBuilder @@ -27,11 +30,15 @@ import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration internal open class SslContextFactory { - fun createSslContext(secConfig: SecurityConfiguration): SslContext = - createSslContextWithConfiguredCerts(secConfig) - .sslProvider(SslProvider.OPENSSL) - .clientAuth(ClientAuth.REQUIRE) - .build() + fun createSslContext(secConfig: SecurityConfiguration): Option<SslContext> = + if (secConfig.sslDisable) { + Option.empty() + } else { + Option.just(createSslContextWithConfiguredCerts(secConfig) + .sslProvider(SslProvider.OPENSSL) + .clientAuth(ClientAuth.REQUIRE) + .build()) + } protected open fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder = SslContextBuilder.forServer(secConfig.cert.toFile(), secConfig.privateKey.toFile()) diff --git a/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt b/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt index 26a25d33..deb4e183 100644 --- a/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt +++ b/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt @@ -20,15 +20,17 @@ package org.onap.dcae.collectors.veshv.impl.socket import io.netty.handler.ssl.ClientAuth -import io.netty.handler.ssl.OpenSslServerContext import io.netty.handler.ssl.ReferenceCountedOpenSslContext import io.netty.handler.ssl.SslContextBuilder import org.assertj.core.api.Assertions.assertThat import org.jetbrains.spek.api.Spek import org.jetbrains.spek.api.dsl.describe +import org.jetbrains.spek.api.dsl.given import org.jetbrains.spek.api.dsl.it +import org.jetbrains.spek.api.dsl.on import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration import java.nio.file.Paths +import kotlin.test.assertTrue /** * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com> @@ -36,43 +38,66 @@ import java.nio.file.Paths */ object SslContextFactoryTest : Spek({ describe("SslContextFactory") { - val sampleConfig = SecurityConfiguration( - privateKey = Paths.get("/", "tmp", "pk.pem"), - cert = Paths.get("/", "tmp", "cert.crt"), - trustedCert = Paths.get("/", "tmp", "clientCa.crt")) + given("config without disabled SSL") { + val sampleConfig = SecurityConfiguration( + privateKey = Paths.get("/", "tmp", "pk.pem"), + cert = Paths.get("/", "tmp", "cert.crt"), + trustedCert = Paths.get("/", "tmp", "clientCa.crt")) - val cut = object : SslContextFactory() { - var actualConfig: SecurityConfiguration? = null - override fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder { - actualConfig = secConfig - return SslContextBuilder.forServer(resource("/ssl/ca.crt"), resource("/ssl/server.key")) + val cut = object : SslContextFactory() { + override fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder { + return SslContextBuilder.forServer(resource("/ssl/ca.crt"), resource("/ssl/server.key")) + } + + private fun resource(path: String) = SslContextFactoryTest.javaClass.getResourceAsStream(path) } - private fun resource(path: String) = SslContextFactoryTest.javaClass.getResourceAsStream(path) - } + on("creation of SSL context") { + val result = cut.createSslContext(sampleConfig) - val result = cut.createSslContext(sampleConfig) + it("should be server context") { + assertTrue(result.exists { + it.isServer + }) + } - it("should be server context") { - assertThat(result.isServer).isTrue() - } + it("should use OpenSSL provider") { + assertTrue(result.isDefined()) + } - it("should use OpenSSL provider") { - assertThat(result).isInstanceOf(OpenSslServerContext::class.java) + /* + * It is too important to leave it untested on unit level. + * Because of the Netty API design we need to do it this way. + */ + it("should turn on client authentication") { + val clientAuth: ClientAuth = ReferenceCountedOpenSslContext::class.java + .getDeclaredField("clientAuth") + .run { + isAccessible = true + get(result.orNull()) as ClientAuth + } + assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE) + } + } } - /* - * It is too important to leave it untested on unit level. - * Because of the Netty API design we need to do it this way. - */ - it("should turn on client authentication") { - val clientAuth: ClientAuth = ReferenceCountedOpenSslContext::class.java - .getDeclaredField("clientAuth") - .run { - isAccessible = true - get(result) as ClientAuth - } - assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE) + given("config with SSL disabled") { + val securityConfiguration = SecurityConfiguration( + sslDisable = true, + privateKey = Paths.get("sample", "key"), + cert = Paths.get("sample", "cert"), + trustedCert = Paths.get("/", "sample", "trusted", "cert") + ) + val cut = SslContextFactory() + + on("creation of SSL context") { + val result = cut.createSslContext(securityConfiguration) + + it("should not create any SSL context ") { + assertThat(result.isDefined()).isFalse() + } + } } + } }) |