From 069dcc194fd049e1c52e60d03ce2a9c0553289a7 Mon Sep 17 00:00:00 2001
From: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
Date: Thu, 20 Sep 2018 12:04:03 +0200
Subject: Use JDK security provider

Replace netty-tcnative bindings for OpenSSL with JDK provided
implementation by default.

Change-Id: I59a4797ce43d15a791eab00bfd25cb730a271207
Issue-ID: DCAEGEN2-816
Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
---
 hv-collector-main/Dockerfile                       |  3 +-
 hv-collector-main/pom.xml                          |  8 +-
 .../collectors/veshv/main/ArgVesHvConfiguration.kt | 76 +++++++----------
 .../veshv/main/ArgVesHvConfigurationTest.kt        | 99 +++++-----------------
 4 files changed, 59 insertions(+), 127 deletions(-)

(limited to 'hv-collector-main')

diff --git a/hv-collector-main/Dockerfile b/hv-collector-main/Dockerfile
index 8216ac46..746deb51 100644
--- a/hv-collector-main/Dockerfile
+++ b/hv-collector-main/Dockerfile
@@ -6,8 +6,7 @@ LABEL license.url="http://www.apache.org/licenses/LICENSE-2.0"
 LABEL maintainer="Nokia Wroclaw ONAP Team"
 
 RUN apt-get update \
-        && apt-get install -y --no-install-recommends curl  \
-        && apt-get install -y --no-install-recommends netcat  \
+        && apt-get install -y --no-install-recommends curl netcat \
         && apt-get clean
 
 WORKDIR /opt/ves-hv-collector
diff --git a/hv-collector-main/pom.xml b/hv-collector-main/pom.xml
index ed37515d..571821a6 100644
--- a/hv-collector-main/pom.xml
+++ b/hv-collector-main/pom.xml
@@ -117,12 +117,18 @@
             <groupId>commons-cli</groupId>
             <artifactId>commons-cli</artifactId>
         </dependency>
+        <!-- See comment in main pom
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-transport-native-epoll</artifactId>
+            <classifier>${os.detected.classifier}</classifier>
+        </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-tcnative-boringssl-static</artifactId>
-            <scope>runtime</scope>
             <classifier>${os.detected.classifier}</classifier>
         </dependency>
+        -->
         <dependency>
             <groupId>io.micrometer</groupId>
             <artifactId>micrometer-registry-jmx</artifactId>
diff --git a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt
index 26230cd3..d6ff9efa 100644
--- a/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt
+++ b/hv-collector-main/src/main/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfiguration.kt
@@ -22,25 +22,31 @@ package org.onap.dcae.collectors.veshv.main
 import arrow.core.ForOption
 import arrow.core.Option
 import arrow.core.fix
+import arrow.core.monad
 import arrow.instances.extensions
 import arrow.typeclasses.binding
 import org.apache.commons.cli.CommandLine
 import org.apache.commons.cli.DefaultParser
-import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration
 import org.onap.dcae.collectors.veshv.model.ConfigurationProviderParams
 import org.onap.dcae.collectors.veshv.model.ServerConfiguration
+import org.onap.dcae.collectors.veshv.ssl.boundary.createSecurityConfiguration
 import org.onap.dcae.collectors.veshv.utils.commandline.ArgBasedConfiguration
-import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CERT_FILE
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_CONFIG_URL
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_FIRST_REQUEST_DELAY
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.CONSUL_REQUEST_INTERVAL
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.DUMMY_MODE
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.HEALTH_CHECK_API_PORT
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.IDLE_TIMEOUT_SEC
+import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.KEY_STORE_FILE
+import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.KEY_STORE_PASSWORD
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.LISTEN_PORT
-import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.PRIVATE_KEY_FILE
 import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.SSL_DISABLE
-import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_CERT_FILE
+import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_STORE_FILE
+import org.onap.dcae.collectors.veshv.utils.commandline.CommandLineOption.TRUST_STORE_PASSWORD
+import org.onap.dcae.collectors.veshv.utils.commandline.hasOption
+import org.onap.dcae.collectors.veshv.utils.commandline.intValue
+import org.onap.dcae.collectors.veshv.utils.commandline.longValue
+import org.onap.dcae.collectors.veshv.utils.commandline.stringValue
 import java.time.Duration
 
 internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration>(DefaultParser()) {
@@ -51,34 +57,33 @@ internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration
             CONSUL_FIRST_REQUEST_DELAY,
             CONSUL_REQUEST_INTERVAL,
             SSL_DISABLE,
-            PRIVATE_KEY_FILE,
-            CERT_FILE,
-            TRUST_CERT_FILE,
+            KEY_STORE_FILE,
+            KEY_STORE_PASSWORD,
+            TRUST_STORE_FILE,
+            TRUST_STORE_PASSWORD,
             IDLE_TIMEOUT_SEC,
             DUMMY_MODE
     )
 
     override fun getConfiguration(cmdLine: CommandLine): Option<ServerConfiguration> =
-            ForOption extensions {
-                binding {
-                    val healthCheckApiPort = cmdLine.intValue(
-                            HEALTH_CHECK_API_PORT,
-                            DefaultValues.HEALTH_CHECK_API_PORT
-                    )
-                    val listenPort = cmdLine.intValue(LISTEN_PORT).bind()
-                    val idleTimeoutSec = cmdLine.longValue(IDLE_TIMEOUT_SEC, DefaultValues.IDLE_TIMEOUT_SEC)
-                    val dummyMode = cmdLine.hasOption(DUMMY_MODE)
-                    val security = createSecurityConfiguration(cmdLine)
-                    val configurationProviderParams = createConfigurationProviderParams(cmdLine).bind()
-                    ServerConfiguration(
-                            healthCheckApiPort = healthCheckApiPort,
-                            listenPort = listenPort,
-                            configurationProviderParams = configurationProviderParams,
-                            securityConfiguration = security,
-                            idleTimeout = Duration.ofSeconds(idleTimeoutSec),
-                            dummyMode = dummyMode)
-                }.fix()
-            }
+            Option.monad().binding {
+                val healthCheckApiPort = cmdLine.intValue(
+                        HEALTH_CHECK_API_PORT,
+                        DefaultValues.HEALTH_CHECK_API_PORT
+                )
+                val listenPort = cmdLine.intValue(LISTEN_PORT).bind()
+                val idleTimeoutSec = cmdLine.longValue(IDLE_TIMEOUT_SEC, DefaultValues.IDLE_TIMEOUT_SEC)
+                val dummyMode = cmdLine.hasOption(DUMMY_MODE)
+                val security = createSecurityConfiguration(cmdLine).bind()
+                val configurationProviderParams = createConfigurationProviderParams(cmdLine).bind()
+                ServerConfiguration(
+                        healthCheckApiPort = healthCheckApiPort,
+                        listenPort = listenPort,
+                        configurationProviderParams = configurationProviderParams,
+                        securityConfiguration = security,
+                        idleTimeout = Duration.ofSeconds(idleTimeoutSec),
+                        dummyMode = dummyMode)
+            }.fix()
 
     private fun createConfigurationProviderParams(cmdLine: CommandLine): Option<ConfigurationProviderParams> =
             ForOption extensions {
@@ -100,27 +105,10 @@ internal class ArgVesHvConfiguration : ArgBasedConfiguration<ServerConfiguration
                 }.fix()
             }
 
-    private fun createSecurityConfiguration(cmdLine: CommandLine): SecurityConfiguration {
-        val sslDisable = cmdLine.hasOption(SSL_DISABLE)
-        val pkFile = cmdLine.stringValue(PRIVATE_KEY_FILE, DefaultValues.PRIVATE_KEY_FILE)
-        val certFile = cmdLine.stringValue(CERT_FILE, DefaultValues.CERT_FILE)
-        val trustCertFile = cmdLine.stringValue(TRUST_CERT_FILE, DefaultValues.TRUST_CERT_FILE)
-
-        return SecurityConfiguration(
-                sslDisable = sslDisable,
-                privateKey = stringPathToPath(pkFile),
-                cert = stringPathToPath(certFile),
-                trustedCert = stringPathToPath(trustCertFile)
-        )
-    }
-
     internal object DefaultValues {
         const val HEALTH_CHECK_API_PORT = 6060
         const val CONSUL_FIRST_REQUEST_DELAY = 10L
         const val CONSUL_REQUEST_INTERVAL = 5L
-        const val PRIVATE_KEY_FILE = "/etc/ves-hv/server.key"
-        const val CERT_FILE = "/etc/ves-hv/server.crt"
-        const val TRUST_CERT_FILE = "/etc/ves-hv/trust.crt"
         const val IDLE_TIMEOUT_SEC = 60L
     }
 }
diff --git a/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt b/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt
index 26507197..0cf0bb2c 100644
--- a/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt
+++ b/hv-collector-main/src/test/kotlin/org/onap/dcae/collectors/veshv/main/ArgVesHvConfigurationTest.kt
@@ -19,20 +19,20 @@
  */
 package org.onap.dcae.collectors.veshv.main
 
+import arrow.core.identity
 import org.assertj.core.api.Assertions.assertThat
 import org.jetbrains.spek.api.Spek
 import org.jetbrains.spek.api.dsl.describe
 import org.jetbrains.spek.api.dsl.given
 import org.jetbrains.spek.api.dsl.it
 import org.jetbrains.spek.api.dsl.on
-import org.onap.dcae.collectors.veshv.domain.SecurityConfiguration
-import org.onap.dcae.collectors.veshv.main.ArgVesHvConfiguration.DefaultValues
+import org.onap.dcae.collectors.veshv.domain.JdkKeys
 import org.onap.dcae.collectors.veshv.model.ServerConfiguration
 import org.onap.dcae.collectors.veshv.tests.utils.parseExpectingFailure
 import org.onap.dcae.collectors.veshv.tests.utils.parseExpectingSuccess
 import org.onap.dcae.collectors.veshv.utils.commandline.WrongArgumentError
-import java.nio.file.Paths
 import java.time.Duration
+import kotlin.test.assertNotNull
 
 /**
  * @author Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
@@ -45,9 +45,8 @@ object ArgVesHvConfigurationTest : Spek({
     val firstRequestDelay = "10"
     val requestInterval = "5"
     val listenPort = "6969"
-    val pk = Paths.get("/", "etc", "ves", "pk.pem")
-    val cert = Paths.get("/", "etc", "ssl", "certs", "ca-bundle.crt")
-    val trustCert = Paths.get("/", "etc", "ves", "trusted.crt")
+    val keyStorePassword = "kspass"
+    val trustStorePassword = "tspass"
 
     beforeEachTest {
         cut = ArgVesHvConfiguration()
@@ -58,15 +57,17 @@ object ArgVesHvConfigurationTest : Spek({
             lateinit var result: ServerConfiguration
 
             beforeEachTest {
-                result = cut.parseExpectingSuccess("--ssl-disable",
+                result = cut.parseExpectingSuccess(
                         "--health-check-api-port", healthCheckApiPort,
                         "--listen-port", listenPort,
                         "--config-url", configurationUrl,
                         "--first-request-delay", firstRequestDelay,
                         "--request-interval", requestInterval,
-                        "--private-key-file", pk.toFile().absolutePath,
-                        "--cert-file", cert.toFile().absolutePath,
-                        "--trust-cert-file", trustCert.toFile().absolutePath)
+                        "--key-store", "/tmp/keys.p12",
+                        "--trust-store", "/tmp/trust.p12",
+                        "--key-store-password", keyStorePassword,
+                        "--trust-store-password", trustStorePassword
+                )
             }
 
             it("should set proper health check api port") {
@@ -93,69 +94,13 @@ object ArgVesHvConfigurationTest : Spek({
             }
 
             it("should set proper security configuration") {
-                assertThat(result.securityConfiguration).isEqualTo(
-                        SecurityConfiguration(sslDisable = true, privateKey = pk, cert = cert, trustedCert = trustCert)
-                )
-            }
-        }
-
-        given("some parameters are present in the short form") {
-            lateinit var result: ServerConfiguration
-
-            beforeEachTest {
-                result = cut.parseExpectingSuccess(
-                        "-p", listenPort, "-c", configurationUrl, "-d", firstRequestDelay
-                )
-            }
+                assertThat(result.securityConfiguration.sslDisable).isFalse()
 
-            it("should set proper port") {
-                assertThat(result.listenPort).isEqualTo(listenPort.toInt())
-            }
-
-            it("should set proper first consul request delay") {
-                assertThat(result.configurationProviderParams.firstRequestDelay)
-                        .isEqualTo(Duration.ofSeconds(firstRequestDelay.toLong()))
-            }
-
-            it("should set proper config url") {
-                assertThat(result.configurationProviderParams.configurationUrl)
-                        .isEqualTo(configurationUrl)
-            }
-        }
-
-        given("all optional parameters are absent") {
-            lateinit var result: ServerConfiguration
-
-            beforeEachTest {
-                result = cut.parseExpectingSuccess(
-                        "--listen-port", listenPort, "--config-url", configurationUrl
-                )
-            }
-
-            it("should set default first consul request delay") {
-                assertThat(result.configurationProviderParams.firstRequestDelay)
-                        .isEqualTo(Duration.ofSeconds(DefaultValues.CONSUL_FIRST_REQUEST_DELAY))
-            }
-
-            it("should set default consul request interval") {
-                assertThat(result.configurationProviderParams.requestInterval)
-                        .isEqualTo(Duration.ofSeconds(DefaultValues.CONSUL_REQUEST_INTERVAL))
-            }
-
-            on("security config") {
-                val securityConfiguration = result.securityConfiguration
-
-                it("should set default trust cert file") {
-                    assertThat(securityConfiguration.trustedCert.toString()).isEqualTo(DefaultValues.TRUST_CERT_FILE)
-                }
-
-                it("should set default server cert file") {
-                    assertThat(securityConfiguration.cert.toString()).isEqualTo(DefaultValues.CERT_FILE)
-                }
-
-                it("should set default private key file") {
-                    assertThat(securityConfiguration.privateKey.toString()).isEqualTo(DefaultValues.PRIVATE_KEY_FILE)
-                }
+                val keys = result.securityConfiguration.keys.orNull() as JdkKeys
+                assertNotNull(keys.keyStore)
+                assertNotNull(keys.trustStore)
+                assertThat(keys.keyStorePassword).isEqualTo(keyStorePassword.toCharArray())
+                assertThat(keys.trustStorePassword).isEqualTo(trustStorePassword.toCharArray())
             }
         }
 
@@ -166,10 +111,7 @@ object ArgVesHvConfigurationTest : Spek({
                             "--config-url", configurationUrl,
                             "--ssl-disable",
                             "--first-request-delay", firstRequestDelay,
-                            "--request-interval", requestInterval,
-                            "--private-key-file", pk.toFile().absolutePath,
-                            "--cert-file", cert.toFile().absolutePath,
-                            "--trust-cert-file", trustCert.toFile().absolutePath)
+                            "--request-interval", requestInterval)
                     ).isInstanceOf(WrongArgumentError::class.java)
                 }
             }
@@ -179,10 +121,7 @@ object ArgVesHvConfigurationTest : Spek({
                             "--listen-port", listenPort,
                             "--ssl-disable",
                             "--first-request-delay", firstRequestDelay,
-                            "--request-interval", requestInterval,
-                            "--private-key-file", pk.toFile().absolutePath,
-                            "--cert-file", cert.toFile().absolutePath,
-                            "--trust-cert-file", trustCert.toFile().absolutePath)
+                            "--request-interval", requestInterval)
                     ).isInstanceOf(WrongArgumentError::class.java)
                 }
             }
-- 
cgit 1.2.3-korg