From 0d15767178ffff59009de51d3737883aa81df2a6 Mon Sep 17 00:00:00 2001 From: kjaniak Date: Tue, 17 Jul 2018 11:50:10 +0200 Subject: Add command line option to disable SSL/TLS Closes ONAP-508 Change-Id: If6c3935ede7b00dea9b36747c6cd1422c1c8d330 Signed-off-by: kjaniak Issue-ID: DCAEGEN2-601 --- hv-collector-core/pom.xml | 4 + .../collectors/veshv/impl/socket/NettyTcpServer.kt | 5 +- .../veshv/impl/socket/SslContextFactory.kt | 17 +++-- .../veshv/impl/socket/SslContextFactoryTest.kt | 85 ++++++++++++++-------- .../veshv/domain/SecurityConfiguration.kt | 1 + .../veshv/main/ArgBasedServerConfiguration.kt | 3 + .../veshv/main/ArgBasedServerConfigurationTest.kt | 5 +- .../veshv/utils/commandline/CommandLineOption.kt | 5 ++ .../xnf/config/ArgConfigurationProvider.kt | 10 +-- .../main/config/ArgConfigurationProviderTest.kt | 38 +++++++++- 10 files changed, 126 insertions(+), 47 deletions(-) diff --git a/hv-collector-core/pom.xml b/hv-collector-core/pom.xml index 18657316..cf99867f 100644 --- a/hv-collector-core/pom.xml +++ b/hv-collector-core/pom.xml @@ -82,6 +82,10 @@ io.arrow-kt arrow-effects + + io.arrow-kt + arrow-core + io.projectreactor reactor-core diff --git a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt index e9985766..61e1ebff 100644 --- a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt +++ b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/NettyTcpServer.kt @@ -19,7 +19,9 @@ */ package org.onap.dcae.collectors.veshv.impl.socket +import arrow.core.Option import arrow.effects.IO +import io.netty.handler.ssl.SslContext import org.onap.dcae.collectors.veshv.boundary.CollectorProvider import org.onap.dcae.collectors.veshv.boundary.Server import org.onap.dcae.collectors.veshv.boundary.ServerHandle @@ -54,8 +56,9 @@ internal class NettyTcpServer(private val serverConfig: ServerConfiguration, } private fun configureServer(opts: ServerOptions.Builder<*>) { + val sslContext: Option = sslContextFactory.createSslContext(serverConfig.securityConfiguration) + if (sslContext.isDefined()) opts.sslContext(sslContext.orNull()) opts.port(serverConfig.port) - opts.sslContext(sslContextFactory.createSslContext(serverConfig.securityConfiguration)) } private fun handleConnection(nettyInbound: NettyInbound): Mono { diff --git a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt index b6fb1cf8..0dce0d61 100644 --- a/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt +++ b/hv-collector-core/src/main/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactory.kt @@ -19,6 +19,9 @@ */ package org.onap.dcae.collectors.veshv.impl.socket +import arrow.core.None +import arrow.core.Option +import arrow.core.Some import io.netty.handler.ssl.ClientAuth import io.netty.handler.ssl.SslContext import io.netty.handler.ssl.SslContextBuilder @@ -27,11 +30,15 @@ import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration internal open class SslContextFactory { - fun createSslContext(secConfig: SecurityConfiguration): SslContext = - createSslContextWithConfiguredCerts(secConfig) - .sslProvider(SslProvider.OPENSSL) - .clientAuth(ClientAuth.REQUIRE) - .build() + fun createSslContext(secConfig: SecurityConfiguration): Option = + if (secConfig.sslDisable) { + Option.empty() + } else { + Option.just(createSslContextWithConfiguredCerts(secConfig) + .sslProvider(SslProvider.OPENSSL) + .clientAuth(ClientAuth.REQUIRE) + .build()) + } protected open fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder = SslContextBuilder.forServer(secConfig.cert.toFile(), secConfig.privateKey.toFile()) diff --git a/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt b/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt index 26a25d33..deb4e183 100644 --- a/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt +++ b/hv-collector-core/src/test/kotlin/org/onap/dcae/collectors/veshv/impl/socket/SslContextFactoryTest.kt @@ -20,15 +20,17 @@ package org.onap.dcae.collectors.veshv.impl.socket import io.netty.handler.ssl.ClientAuth -import io.netty.handler.ssl.OpenSslServerContext import io.netty.handler.ssl.ReferenceCountedOpenSslContext import io.netty.handler.ssl.SslContextBuilder import org.assertj.core.api.Assertions.assertThat import org.jetbrains.spek.api.Spek import org.jetbrains.spek.api.dsl.describe +import org.jetbrains.spek.api.dsl.given import org.jetbrains.spek.api.dsl.it +import org.jetbrains.spek.api.dsl.on import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration import java.nio.file.Paths +import kotlin.test.assertTrue /** * @author Piotr Jaszczyk @@ -36,43 +38,66 @@ import java.nio.file.Paths */ object SslContextFactoryTest : Spek({ describe("SslContextFactory") { - val sampleConfig = SecurityConfiguration( - privateKey = Paths.get("/", "tmp", "pk.pem"), - cert = Paths.get("/", "tmp", "cert.crt"), - trustedCert = Paths.get("/", "tmp", "clientCa.crt")) + given("config without disabled SSL") { + val sampleConfig = SecurityConfiguration( + privateKey = Paths.get("/", "tmp", "pk.pem"), + cert = Paths.get("/", "tmp", "cert.crt"), + trustedCert = Paths.get("/", "tmp", "clientCa.crt")) - val cut = object : SslContextFactory() { - var actualConfig: SecurityConfiguration? = null - override fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder { - actualConfig = secConfig - return SslContextBuilder.forServer(resource("/ssl/ca.crt"), resource("/ssl/server.key")) + val cut = object : SslContextFactory() { + override fun createSslContextWithConfiguredCerts(secConfig: SecurityConfiguration): SslContextBuilder { + return SslContextBuilder.forServer(resource("/ssl/ca.crt"), resource("/ssl/server.key")) + } + + private fun resource(path: String) = SslContextFactoryTest.javaClass.getResourceAsStream(path) } - private fun resource(path: String) = SslContextFactoryTest.javaClass.getResourceAsStream(path) - } + on("creation of SSL context") { + val result = cut.createSslContext(sampleConfig) - val result = cut.createSslContext(sampleConfig) + it("should be server context") { + assertTrue(result.exists { + it.isServer + }) + } - it("should be server context") { - assertThat(result.isServer).isTrue() - } + it("should use OpenSSL provider") { + assertTrue(result.isDefined()) + } - it("should use OpenSSL provider") { - assertThat(result).isInstanceOf(OpenSslServerContext::class.java) + /* + * It is too important to leave it untested on unit level. + * Because of the Netty API design we need to do it this way. + */ + it("should turn on client authentication") { + val clientAuth: ClientAuth = ReferenceCountedOpenSslContext::class.java + .getDeclaredField("clientAuth") + .run { + isAccessible = true + get(result.orNull()) as ClientAuth + } + assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE) + } + } } - /* - * It is too important to leave it untested on unit level. - * Because of the Netty API design we need to do it this way. - */ - it("should turn on client authentication") { - val clientAuth: ClientAuth = ReferenceCountedOpenSslContext::class.java - .getDeclaredField("clientAuth") - .run { - isAccessible = true - get(result) as ClientAuth - } - assertThat(clientAuth).isEqualTo(ClientAuth.REQUIRE) + given("config with SSL disabled") { + val securityConfiguration = SecurityConfiguration( + sslDisable = true, + privateKey = Paths.get("sample", "key"), + cert = Paths.get("sample", "cert"), + trustedCert = Paths.get("/", "sample", "trusted", "cert") + ) + val cut = SslContextFactory() + + on("creation of SSL context") { + val result = cut.createSslContext(securityConfiguration) + + it("should not create any SSL context ") { + assertThat(result.isDefined()).isFalse() + } + } } + } }) diff --git a/hv-collector-domain/src/main/kotlin/org/onap/dcae/collectors/veshv/domain/SecurityConfiguration.kt b/hv-collector-domain/src/main/kotlin/org/onap/dcae/collectors/veshv/domain/SecurityConfiguration.kt index 6f28b6e9..e409eb7a 100644 --- a/hv-collector-domain/src/main/kotlin/org/onap/dcae/collectors/veshv/domain/SecurityConfiguration.kt +++ b/hv-collector-domain/src/main/kotlin/org/onap/dcae/collectors/veshv/domain/SecurityConfiguration.kt @@ -26,6 +26,7 @@ import java.nio.file.Path * @since May 2018 */ data class SecurityConfiguration( + val sslDisable: Boolean = false, val privateKey: Path, val cert: Path, val trustedCert: Path) diff --git a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgBasedServerConfiguration.kt b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgBasedServerConfiguration.kt index 9e4c5f2d..35ca09d8 100644 --- a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgBasedServerConfiguration.kt +++ b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgBasedServerConfiguration.kt @@ -42,6 +42,7 @@ internal class ArgBasedServerConfiguration : ArgBasedConfiguration