diff options
author | Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-09-20 12:04:03 +0200 |
---|---|---|
committer | Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-09-24 14:25:32 +0200 |
commit | 069dcc194fd049e1c52e60d03ce2a9c0553289a7 (patch) | |
tree | 7916a4fa6b15734301c1e78bb8a20adf22532b4f /hv-collector-main | |
parent | 7b269674526a267f14895df8b825f3b59b30b98a (diff) |
Use JDK security provider
Replace netty-tcnative bindings for OpenSSL with JDK provided
implementation by default.
Change-Id: I59a4797ce43d15a791eab00bfd25cb730a271207
Issue-ID: DCAEGEN2-816
Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
Diffstat (limited to 'hv-collector-main')
4 files changed, 59 insertions, 127 deletions
diff --git a/hv-collector-main/Dockerfile b/hv-collector-main/Dockerfile index 8216ac46..746deb51 100644 --- a/hv-collector-main/Dockerfile +++ b/hv-collector-main/Dockerfile @@ -6,8 +6,7 @@ LABEL license.url="http://www.apache.org/licenses/LICENSE-2.0" LABEL maintainer="Nokia Wroclaw ONAP Team" RUN apt-get update \ - && apt-get install -y --no-install-recommends curl \ - && apt-get install -y --no-install-recommends netcat \ + && apt-get install -y --no-install-recommends curl netcat \ && apt-get clean WORKDIR /opt/ves-hv-collector diff --git a/hv-collector-main/pom.xml b/hv-collector-main/pom.xml index ed37515d..571821a6 100644 --- a/hv-collector-main/pom.xml +++ b/hv-collector-main/pom.xml @@ -117,12 +117,18 @@ <groupId>commons-cli</groupId> <artifactId>commons-cli</artifactId> </dependency> + <!-- See comment in main pom + <dependency> + <groupId>io.netty</groupId> + <artifactId>netty-transport-native-epoll</artifactId> + <classifier>${os.detected.classifier}</classifier> + </dependency> <dependency> <groupId>io.netty</groupId> <artifactId>netty-tcnative-boringssl-static</artifactId> - <scope>runtime</scope> <classifier>${os.detected.classifier}</classifier> </dependency> + --> <dependency> <groupId>io.micrometer</groupId> <artifactId>micrometer-registry-jmx</artifactId> diff --git a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt index 26230cd3..d6ff9efa 100644 --- a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt +++ b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt @@ -22,25 +22,31 @@ package org.onap.dcae.collectors.veshv.main import arrow.core.ForOption import arrow.core.Option import arrow.core.fix +import arrow.core.monad import arrow.instances.extensions import arrow.typeclasses.binding import org.apache.commons.cli.CommandLine import org.apache.commons.cli.DefaultParser -import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration import org.onap.dcae.collectors.veshv.model.ConfigurationProviderParams import org.onap.dcae.collectors.veshv.model.ServerConfiguration +import org.onap.dcae.collectors.veshv.ssl.boundary.createSecurityConfiguration import org.onap.dcae.collectors.veshv.utils.commandline.ArgBasedConfiguration -import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CERT_FILE import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_CONFIG_URL import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_FIRST_REQUEST_DELAY import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_REQUEST_INTERVAL import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.DUMMY_MODE import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.HEALTH_CHECK_API_PORT import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.IDLE_TIMEOUT_SEC +import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.KEY_STORE_FILE +import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.KEY_STORE_PASSWORD import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.LISTEN_PORT -import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.PRIVATE_KEY_FILE import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.SSL_DISABLE -import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_CERT_FILE +import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_STORE_FILE +import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_STORE_PASSWORD +import org.onap.dcae.collectors.veshv.utils.commandline.hasOption +import org.onap.dcae.collectors.veshv.utils.commandline.intValue +import org.onap.dcae.collectors.veshv.utils.commandline.longValue +import org.onap.dcae.collectors.veshv.utils.commandline.stringValue import java.time.Duration internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration>(DefaultParser()) { @@ -51,34 +57,33 @@ internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration CONSUL_FIRST_REQUEST_DELAY, CONSUL_REQUEST_INTERVAL, SSL_DISABLE, - PRIVATE_KEY_FILE, - CERT_FILE, - TRUST_CERT_FILE, + KEY_STORE_FILE, + KEY_STORE_PASSWORD, + TRUST_STORE_FILE, + TRUST_STORE_PASSWORD, IDLE_TIMEOUT_SEC, DUMMY_MODE ) override fun getConfiguration(cmdLine: CommandLine): Option<ServerConfiguration> = - ForOption extensions { - binding { - val healthCheckApiPort = cmdLine.intValue( - HEALTH_CHECK_API_PORT, - DefaultValues.HEALTH_CHECK_API_PORT - ) - val listenPort = cmdLine.intValue(LISTEN_PORT).bind() - val idleTimeoutSec = cmdLine.longValue(IDLE_TIMEOUT_SEC, DefaultValues.IDLE_TIMEOUT_SEC) - val dummyMode = cmdLine.hasOption(DUMMY_MODE) - val security = createSecurityConfiguration(cmdLine) - val configurationProviderParams = createConfigurationProviderParams(cmdLine).bind() - ServerConfiguration( - healthCheckApiPort = healthCheckApiPort, - listenPort = listenPort, - configurationProviderParams = configurationProviderParams, - securityConfiguration = security, - idleTimeout = Duration.ofSeconds(idleTimeoutSec), - dummyMode = dummyMode) - }.fix() - } + Option.monad().binding { + val healthCheckApiPort = cmdLine.intValue( + HEALTH_CHECK_API_PORT, + DefaultValues.HEALTH_CHECK_API_PORT + ) + val listenPort = cmdLine.intValue(LISTEN_PORT).bind() + val idleTimeoutSec = cmdLine.longValue(IDLE_TIMEOUT_SEC, DefaultValues.IDLE_TIMEOUT_SEC) + val dummyMode = cmdLine.hasOption(DUMMY_MODE) + val security = createSecurityConfiguration(cmdLine).bind() + val configurationProviderParams = createConfigurationProviderParams(cmdLine).bind() + ServerConfiguration( + healthCheckApiPort = healthCheckApiPort, + listenPort = listenPort, + configurationProviderParams = configurationProviderParams, + securityConfiguration = security, + idleTimeout = Duration.ofSeconds(idleTimeoutSec), + dummyMode = dummyMode) + }.fix() private fun createConfigurationProviderParams(cmdLine: CommandLine): Option<ConfigurationProviderParams> = ForOption extensions { @@ -100,27 +105,10 @@ internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration }.fix() } - private fun createSecurityConfiguration(cmdLine: CommandLine): SecurityConfiguration { - val sslDisable = cmdLine.hasOption(SSL_DISABLE) - val pkFile = cmdLine.stringValue(PRIVATE_KEY_FILE, DefaultValues.PRIVATE_KEY_FILE) - val certFile = cmdLine.stringValue(CERT_FILE, DefaultValues.CERT_FILE) - val trustCertFile = cmdLine.stringValue(TRUST_CERT_FILE, DefaultValues.TRUST_CERT_FILE) - - return SecurityConfiguration( - sslDisable = sslDisable, - privateKey = stringPathToPath(pkFile), - cert = stringPathToPath(certFile), - trustedCert = stringPathToPath(trustCertFile) - ) - } - internal object DefaultValues { const val HEALTH_CHECK_API_PORT = 6060 const val CONSUL_FIRST_REQUEST_DELAY = 10L const val CONSUL_REQUEST_INTERVAL = 5L - const val PRIVATE_KEY_FILE = "/etc/ves-hv/server.key" - const val CERT_FILE = "/etc/ves-hv/server.crt" - const val TRUST_CERT_FILE = "/etc/ves-hv/trust.crt" const val IDLE_TIMEOUT_SEC = 60L } } diff --git a/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt b/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt index 26507197..0cf0bb2c 100644 --- a/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt +++ b/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt @@ -19,20 +19,20 @@ */ package org.onap.dcae.collectors.veshv.main +import arrow.core.identity import org.assertj.core.api.Assertions.assertThat import org.jetbrains.spek.api.Spek import org.jetbrains.spek.api.dsl.describe import org.jetbrains.spek.api.dsl.given import org.jetbrains.spek.api.dsl.it import org.jetbrains.spek.api.dsl.on -import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration -import org.onap.dcae.collectors.veshv.main.ArgVesHvConfiguration.DefaultValues +import org.onap.dcae.collectors.veshv.domain.JdkKeys import org.onap.dcae.collectors.veshv.model.ServerConfiguration import org.onap.dcae.collectors.veshv.tests.utils.parseExpectingFailure import org.onap.dcae.collectors.veshv.tests.utils.parseExpectingSuccess import org.onap.dcae.collectors.veshv.utils.commandline.WrongArgumentError -import java.nio.file.Paths import java.time.Duration +import kotlin.test.assertNotNull /** * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com> @@ -45,9 +45,8 @@ object ArgVesHvConfigurationTest : Spek({ val firstRequestDelay = "10" val requestInterval = "5" val listenPort = "6969" - val pk = Paths.get("/", "etc", "ves", "pk.pem") - val cert = Paths.get("/", "etc", "ssl", "certs", "ca-bundle.crt") - val trustCert = Paths.get("/", "etc", "ves", "trusted.crt") + val keyStorePassword = "kspass" + val trustStorePassword = "tspass" beforeEachTest { cut = ArgVesHvConfiguration() @@ -58,15 +57,17 @@ object ArgVesHvConfigurationTest : Spek({ lateinit var result: ServerConfiguration beforeEachTest { - result = cut.parseExpectingSuccess("--ssl-disable", + result = cut.parseExpectingSuccess( "--health-check-api-port", healthCheckApiPort, "--listen-port", listenPort, "--config-url", configurationUrl, "--first-request-delay", firstRequestDelay, "--request-interval", requestInterval, - "--private-key-file", pk.toFile().absolutePath, - "--cert-file", cert.toFile().absolutePath, - "--trust-cert-file", trustCert.toFile().absolutePath) + "--key-store", "/tmp/keys.p12", + "--trust-store", "/tmp/trust.p12", + "--key-store-password", keyStorePassword, + "--trust-store-password", trustStorePassword + ) } it("should set proper health check api port") { @@ -93,69 +94,13 @@ object ArgVesHvConfigurationTest : Spek({ } it("should set proper security configuration") { - assertThat(result.securityConfiguration).isEqualTo( - SecurityConfiguration(sslDisable = true, privateKey = pk, cert = cert, trustedCert = trustCert) - ) - } - } - - given("some parameters are present in the short form") { - lateinit var result: ServerConfiguration - - beforeEachTest { - result = cut.parseExpectingSuccess( - "-p", listenPort, "-c", configurationUrl, "-d", firstRequestDelay - ) - } + assertThat(result.securityConfiguration.sslDisable).isFalse() - it("should set proper port") { - assertThat(result.listenPort).isEqualTo(listenPort.toInt()) - } - - it("should set proper first consul request delay") { - assertThat(result.configurationProviderParams.firstRequestDelay) - .isEqualTo(Duration.ofSeconds(firstRequestDelay.toLong())) - } - - it("should set proper config url") { - assertThat(result.configurationProviderParams.configurationUrl) - .isEqualTo(configurationUrl) - } - } - - given("all optional parameters are absent") { - lateinit var result: ServerConfiguration - - beforeEachTest { - result = cut.parseExpectingSuccess( - "--listen-port", listenPort, "--config-url", configurationUrl - ) - } - - it("should set default first consul request delay") { - assertThat(result.configurationProviderParams.firstRequestDelay) - .isEqualTo(Duration.ofSeconds(DefaultValues.CONSUL_FIRST_REQUEST_DELAY)) - } - - it("should set default consul request interval") { - assertThat(result.configurationProviderParams.requestInterval) - .isEqualTo(Duration.ofSeconds(DefaultValues.CONSUL_REQUEST_INTERVAL)) - } - - on("security config") { - val securityConfiguration = result.securityConfiguration - - it("should set default trust cert file") { - assertThat(securityConfiguration.trustedCert.toString()).isEqualTo(DefaultValues.TRUST_CERT_FILE) - } - - it("should set default server cert file") { - assertThat(securityConfiguration.cert.toString()).isEqualTo(DefaultValues.CERT_FILE) - } - - it("should set default private key file") { - assertThat(securityConfiguration.privateKey.toString()).isEqualTo(DefaultValues.PRIVATE_KEY_FILE) - } + val keys = result.securityConfiguration.keys.orNull() as JdkKeys + assertNotNull(keys.keyStore) + assertNotNull(keys.trustStore) + assertThat(keys.keyStorePassword).isEqualTo(keyStorePassword.toCharArray()) + assertThat(keys.trustStorePassword).isEqualTo(trustStorePassword.toCharArray()) } } @@ -166,10 +111,7 @@ object ArgVesHvConfigurationTest : Spek({ "--config-url", configurationUrl, "--ssl-disable", "--first-request-delay", firstRequestDelay, - "--request-interval", requestInterval, - "--private-key-file", pk.toFile().absolutePath, - "--cert-file", cert.toFile().absolutePath, - "--trust-cert-file", trustCert.toFile().absolutePath) + "--request-interval", requestInterval) ).isInstanceOf(WrongArgumentError::class.java) } } @@ -179,10 +121,7 @@ object ArgVesHvConfigurationTest : Spek({ "--listen-port", listenPort, "--ssl-disable", "--first-request-delay", firstRequestDelay, - "--request-interval", requestInterval, - "--private-key-file", pk.toFile().absolutePath, - "--cert-file", cert.toFile().absolutePath, - "--trust-cert-file", trustCert.toFile().absolutePath) + "--request-interval", requestInterval) ).isInstanceOf(WrongArgumentError::class.java) } } |