Use SDK/SSL in HV-VES

Issue-ID: DCAEGEN2-1226 Change-Id: I7cfc09001f7315c1b6f4fcf150ad631630c810ef Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
author: Piotr Jaszczyk <piotr.jaszczyk@nokia.com> 2019-02-15 12:59:26 +0100
committer: Piotr Jaszczyk <piotr.jaszczyk@nokia.com> 2019-02-19 12:51:46 +0100
commit: 82b27ff5bccc925fe03d05f259cf881fafc8a1ce (patch)
tree: d128931c70c19184d7b259d295ce39deeec370c3 /sources/hv-collector-ssl/src/main
parent: dc47bd1847a46fe0ad0ca6c10a4d61f829f4c0c6 (diff)
5 files changed, 31 insertions, 220 deletions
diff --git a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ClientSslContextFactory.kt b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ClientSslContextFactory.kt
deleted file mode 100644
index 0ad3d7b4..00000000
--- a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ClientSslContextFactory.kt
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * ============LICENSE_START=======================================================
- * dcaegen2-collectors-veshv
- * ================================================================================
- * Copyright (C) 2018 NOKIA
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-package org.onap.dcae.collectors.veshv.ssl.boundary
-
-import io.netty.handler.ssl.SslContextBuilder
-import io.netty.handler.ssl.SslProvider
-import org.onap.dcae.collectors.veshv.domain.JdkKeys
-import org.onap.dcae.collectors.veshv.domain.OpenSslKeys
-import org.onap.dcae.collectors.veshv.ssl.impl.SslFactories.keyManagerFactory
-import org.onap.dcae.collectors.veshv.ssl.impl.SslFactories.trustManagerFactory
-
-/**
- * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
- * @since September 2018
- */
-open class ClientSslContextFactory : SslContextFactory() {
-
-    override fun openSslContext(openSslKeys: OpenSslKeys) = SslContextBuilder.forClient()
-            .keyManager(openSslKeys.cert.toFile(), openSslKeys.privateKey.toFile())
-            .trustManager(openSslKeys.trustedCert.toFile())
-            .sslProvider(SslProvider.OPENSSL)!!
-
-    override fun jdkContext(jdkKeys: JdkKeys) =
-            try {
-                val kmf = keyManagerFactory(jdkKeys)
-                val tmf = trustManagerFactory(jdkKeys)
-                SslContextBuilder.forClient()
-                        .keyManager(kmf)
-                        .trustManager(tmf)
-                        .sslProvider(SslProvider.JDK)!!
-            } finally {
-                jdkKeys.forgetPasswords()
-            }
-
-}
diff --git a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ServerSslContextFactory.kt b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ServerSslContextFactory.kt
deleted file mode 100644
index d26937fc..00000000
--- a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/ServerSslContextFactory.kt
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * ============LICENSE_START=======================================================
- * dcaegen2-collectors-veshv
- * ================================================================================
- * Copyright (C) 2018 NOKIA
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-package org.onap.dcae.collectors.veshv.ssl.boundary
-
-import io.netty.handler.ssl.SslContextBuilder
-import io.netty.handler.ssl.SslProvider
-import org.onap.dcae.collectors.veshv.domain.JdkKeys
-import org.onap.dcae.collectors.veshv.domain.OpenSslKeys
-import org.onap.dcae.collectors.veshv.ssl.impl.SslFactories.keyManagerFactory
-import org.onap.dcae.collectors.veshv.ssl.impl.SslFactories.trustManagerFactory
-
-/**
- * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
- * @since September 2018
- */
-open class ServerSslContextFactory : SslContextFactory() {
-
-    override fun openSslContext(openSslKeys: OpenSslKeys) = SslContextBuilder
-            .forServer(openSslKeys.cert.toFile(), openSslKeys.privateKey.toFile())
-            .trustManager(openSslKeys.trustedCert.toFile())
-            .sslProvider(SslProvider.OPENSSL)!!
-
-    override fun jdkContext(jdkKeys: JdkKeys) =
-            try {
-                val kmf = keyManagerFactory(jdkKeys)
-                val tmf = trustManagerFactory(jdkKeys)
-                SslContextBuilder.forServer(kmf)
-                        .trustManager(tmf)
-                        .sslProvider(SslProvider.JDK)!!
-            } finally {
-                jdkKeys.forgetPasswords()
-            }
-}
diff --git a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/SslContextFactory.kt b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/SslContextFactory.kt
index cad81eef..8a5959d8 100644
--- a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/SslContextFactory.kt
+++ b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/SslContextFactory.kt
@@ -20,39 +20,18 @@
 package org.onap.dcae.collectors.veshv.ssl.boundary
 
 import arrow.core.Option
-import io.netty.handler.ssl.ClientAuth
 import io.netty.handler.ssl.SslContext
-import io.netty.handler.ssl.SslContextBuilder
-import org.onap.dcae.collectors.veshv.domain.JdkKeys
-import org.onap.dcae.collectors.veshv.domain.OpenSslKeys
 import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration
+import org.onap.dcaegen2.services.sdk.security.ssl.SslFactory
 
 /**
  * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
  * @since September 2018
  */
-abstract class SslContextFactory {
-    fun createSslContext(secConfig: SecurityConfiguration): Option<SslContext> =
-            if (secConfig.sslDisable) {
-                Option.empty()
-            } else {
-                createSslContextWithConfiguredCerts(secConfig)
-                        .map { builder ->
-                            builder.clientAuth(ClientAuth.REQUIRE)
-                                    .build()
-                        }
-            }
+class SslContextFactory(private val sslFactory: SslFactory = SslFactory()) {
+    fun createServerContext(secConfig: SecurityConfiguration): Option<SslContext> =
+            secConfig.keys.map { sslFactory.createSecureServerContext(it) }
+    fun createClientContext(secConfig: SecurityConfiguration): Option<SslContext> =
+            secConfig.keys.map { sslFactory.createSecureClientContext(it) }
 
-    protected open fun createSslContextWithConfiguredCerts(
-            secConfig: SecurityConfiguration
-    ): Option<SslContextBuilder> =
-            secConfig.keys.map { keys ->
-                when (keys) {
-                    is JdkKeys -> jdkContext(keys)
-                    is OpenSslKeys -> openSslContext(keys)
-                }
-            }
-
-    protected abstract fun openSslContext(openSslKeys: OpenSslKeys): SslContextBuilder
-    protected abstract fun jdkContext(jdkKeys: JdkKeys): SslContextBuilder
 }
diff --git a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/utils.kt b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/utils.kt
index d3640c87..fb142639 100644
--- a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/utils.kt
+++ b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/boundary/utils.kt
@@ -20,60 +20,49 @@
 package org.onap.dcae.collectors.veshv.ssl.boundary
 
 import arrow.core.None
-import arrow.core.Option
 import arrow.core.Some
-import arrow.core.fix
-import arrow.instances.option.monad.monad
-import arrow.typeclasses.binding
+import arrow.core.Try
+import arrow.core.getOrElse
 import org.apache.commons.cli.CommandLine
-import org.onap.dcae.collectors.veshv.domain.JdkKeys
 import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption
 import org.onap.dcae.collectors.veshv.utils.commandline.hasOption
 import org.onap.dcae.collectors.veshv.utils.commandline.stringValue
-import java.io.File
+import org.onap.dcaegen2.services.sdk.security.ssl.ImmutableSecurityKeys
+import org.onap.dcaegen2.services.sdk.security.ssl.ImmutableSecurityKeysStore
+import org.onap.dcaegen2.services.sdk.security.ssl.Passwords
+import java.nio.file.Paths
 
 /**
  * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
  * @since September 2018
  */
 
-
 const val KEY_STORE_FILE = "/etc/ves-hv/server.p12"
 const val TRUST_STORE_FILE = "/etc/ves-hv/trust.p12"
 
-fun createSecurityConfiguration(cmdLine: CommandLine): Option<SecurityConfiguration> {
-    val sslDisable = cmdLine.hasOption(CommandLineOption.SSL_DISABLE)
-
-    return if (sslDisable) disabledSecurityConfiguration(sslDisable) else enabledSecurityConfiguration(cmdLine)
-}
+fun createSecurityConfiguration(cmdLine: CommandLine): Try<SecurityConfiguration> =
+        if (cmdLine.hasOption(CommandLineOption.SSL_DISABLE))
+            Try { disabledSecurityConfiguration() }
+        else
+            enabledSecurityConfiguration(cmdLine)
 
-private fun disabledSecurityConfiguration(sslDisable: Boolean): Some<SecurityConfiguration> {
-    return Some(SecurityConfiguration(
-            sslDisable = sslDisable,
-            keys = None
-    ))
-}
+private fun disabledSecurityConfiguration() = SecurityConfiguration(keys = None)
 
-private fun enabledSecurityConfiguration(cmdLine: CommandLine): Option<SecurityConfiguration> {
-    return Option.monad().binding {
-        val ksFile = cmdLine.stringValue(CommandLineOption.KEY_STORE_FILE, KEY_STORE_FILE)
-        val ksPass = cmdLine.stringValue(CommandLineOption.KEY_STORE_PASSWORD).bind()
-        val tsFile = cmdLine.stringValue(CommandLineOption.TRUST_STORE_FILE, TRUST_STORE_FILE)
-        val tsPass = cmdLine.stringValue(CommandLineOption.TRUST_STORE_PASSWORD).bind()
+private fun enabledSecurityConfiguration(cmdLine: CommandLine) = Try {
+    val ksFile = cmdLine.stringValue(CommandLineOption.KEY_STORE_FILE, KEY_STORE_FILE)
+    val ksPass = cmdLine.stringValue(CommandLineOption.KEY_STORE_PASSWORD).getOrElse { "" }
+    val tsFile = cmdLine.stringValue(CommandLineOption.TRUST_STORE_FILE, TRUST_STORE_FILE)
+    val tsPass = cmdLine.stringValue(CommandLineOption.TRUST_STORE_PASSWORD).getOrElse { "" }
 
-        val keys = JdkKeys(
-                keyStore = streamFromFile(ksFile),
-                keyStorePassword = ksPass.toCharArray(),
-                trustStore = streamFromFile(tsFile),
-                trustStorePassword = tsPass.toCharArray()
-        )
+    val keys = ImmutableSecurityKeys.builder()
+            .keyStore(ImmutableSecurityKeysStore.of(pathFromFile(ksFile)))
+            .keyStorePassword(Passwords.fromString(ksPass))
+            .trustStore(ImmutableSecurityKeysStore.of(pathFromFile(tsFile)))
+            .trustStorePassword(Passwords.fromString(tsPass))
+            .build()
 
-        SecurityConfiguration(
-                sslDisable = false,
-                keys = Some(keys)
-        )
-    }.fix()
+    SecurityConfiguration(keys = Some(keys))
 }
 
-private fun streamFromFile(file: String) = { File(file).inputStream() }
+private fun pathFromFile(file: String) = Paths.get(file)
diff --git a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/impl/SslFactories.kt b/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/impl/SslFactories.kt
deleted file mode 100644
index 4a73a2aa..00000000
--- a/sources/hv-collector-ssl/src/main/kotlin/org/onap/dcae/collectors/veshv/ssl/impl/SslFactories.kt
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * ============LICENSE_START=======================================================
- * dcaegen2-collectors-veshv
- * ================================================================================
- * Copyright (C) 2018 NOKIA
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-package org.onap.dcae.collectors.veshv.ssl.impl
-
-import org.onap.dcae.collectors.veshv.domain.JdkKeys
-import org.onap.dcae.collectors.veshv.domain.StreamProvider
-import java.security.KeyStore
-import javax.net.ssl.KeyManagerFactory
-import javax.net.ssl.TrustManagerFactory
-
-/**
- * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
- * @since September 2018
- */
-internal object SslFactories {
-
-    fun trustManagerFactory(jdkKeys: JdkKeys): TrustManagerFactory? {
-        val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-        val ts = loadKeyStoreFromFile(jdkKeys.trustStore, jdkKeys.trustStorePassword)
-        tmf.init(ts)
-        return tmf
-    }
-
-    fun keyManagerFactory(jdkKeys: JdkKeys): KeyManagerFactory? {
-        val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
-        val ks = loadKeyStoreFromFile(jdkKeys.keyStore, jdkKeys.keyStorePassword)
-        kmf.init(ks, jdkKeys.keyStorePassword)
-        return kmf
-    }
-
-    private fun loadKeyStoreFromFile(streamProvider: StreamProvider, password: CharArray): KeyStore {
-        val ks = KeyStore.getInstance("pkcs12")
-        streamProvider().use {
-            ks.load(it, password)
-        }
-        return ks
-    }
-}
author	Piotr Jaszczyk <piotr.jaszczyk@nokia.com>	2019-02-15 12:59:26 +0100
committer	Piotr Jaszczyk <piotr.jaszczyk@nokia.com>	2019-02-19 12:51:46 +0100
commit	82b27ff5bccc925fe03d05f259cf881fafc8a1ce (patch)
tree	d128931c70c19184d7b259d295ce39deeec370c3 /sources/hv-collector-ssl/src/main
parent	dc47bd1847a46fe0ad0ca6c10a4d61f829f4c0c6 (diff)