diff options
| author |   Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2018-12-03 12:28:41 +0100 |
|---|---|---|
| committer | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2018-12-07 14:50:10 +0100 |
| commit | 27b6e6483e73e37a235b8160ad9a1c9f3f68d5ea (patch) | |
| tree | 3d99f292f243d17eee2a47386950f198013a7c02 | |
| parent | 1afc93ddb4afc226562043822f6c5e9dc0ed4b2a (diff) | |
Remove clear text password
Change to SHA256
Change-Id: I1c41247cf4094523b61487cbce0030d585982b06
Issue-ID: DCAEGEN2-978
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
| -rw-r--r-- | README.md | 8 | ||||
| -rwxr-xr-x | etc/collector.properties | 4 | ||||
| -rw-r--r-- | src/main/java/org/onap/dcae/ApplicationSettings.java | 6 | ||||
| -rw-r--r-- | src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java | 15 | ||||
| -rw-r--r-- | src/main/java/org/onap/dcae/restapi/ApiConfiguration.java | 1 | ||||
| -rw-r--r-- | src/test/java/org/onap/dcae/ApplicationSettingsTest.java | 4 | ||||
| -rw-r--r-- | src/test/java/org/onap/dcae/TLSTest.java | 2 | ||||
| -rw-r--r-- | src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java | 4 |
8 files changed, 28 insertions, 16 deletions
@@ -29,6 +29,14 @@ Run the image using docker-compose.yml docker-compose up ``` +### Generate auth credential + +Util "crypt_password.py" to generate new cryptographic password is stored in dcaegen2/sdk + +``` +python crypt_password.py -p TestPassword +``` + ### Environment variables in Docker Container Most of the configuration of how VESCollector should be started and managed is done through environment variables. Some of them are set during the image build process and some of them are defined manually or by diff --git a/etc/collector.properties b/etc/collector.properties index 475c49b0..d0c90695 100755 --- a/etc/collector.properties +++ b/etc/collector.properties @@ -60,9 +60,9 @@ collector.dmaapfile=./etc/DmaapConfig.json ## To disable enter 0
header.authflag=0
-## Combination of userid,base64 encoded pwd list to be supported
+## Combination of userid,hashPassword encoded pwd list to be supported
## userid and pwd comma separated; pipe delimitation between each pair
-header.authlist=sample1,c2FtcGxlMQ==
+header.authlist=sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6
## Event transformation Flag - when set expects configurable transformation
## defined under ./etc/eventTransform.json
diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java index ead148c4..f140def2 100644 --- a/src/main/java/org/onap/dcae/ApplicationSettings.java +++ b/src/main/java/org/onap/dcae/ApplicationSettings.java @@ -90,8 +90,10 @@ public class ApplicationSettings { } private Map<String, String> prepareUsersMap(@Nullable String allowedUsers) { - return allowedUsers == null ? HashMap.empty() : List.ofAll(stream(allowedUsers.split("\\|"))) - .toMap(t -> t.split(",")[0].trim(), t -> new String(Base64.getDecoder().decode(t.split(",")[1])).trim()); + return allowedUsers == null ? HashMap.empty() + : List.of(allowedUsers.split("\\|")) + .map(t->t.split(",")) + .toMap(t-> t[0].trim(), t -> t[1].trim()); } private String findOutConfigurationFileLocation(Map<String, String> parsedArgs) { diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 8061ec5a..6b5a64aa 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -20,19 +20,20 @@ package org.onap.dcae.restapi; import io.vavr.control.Option; +import java.io.IOException; +import java.util.Base64; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.util.Base64; - final class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); + private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); private final ApplicationSettings applicationSettings; private Logger errorLog; @@ -65,11 +66,11 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { String providedPassword = decodedData.split(":")[1].trim(); Option<String> maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); - return userRegistered && maybeSavedPassword.get().equals(providedPassword); + return userRegistered && passwordEncoder.matches(providedPassword,maybeSavedPassword.get()); } catch (Exception e) { LOG.warn(String.format("Could not check if user is authorized (header: '%s')), probably malformed header.", authorizationHeader), e); return false; } } -} +}
\ No newline at end of file diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java index 9ebb5394..c44e0d45 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java +++ b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java @@ -32,6 +32,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @EnableWebMvc @Configuration public class ApiConfiguration implements WebMvcConfigurer { + private final ApplicationSettings applicationSettings; private Logger errorLogger; diff --git a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java index 55160ff5..0e91bc70 100644 --- a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java +++ b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java @@ -389,8 +389,8 @@ public class ApplicationSettingsTest { ).validAuthorizationCredentials(); // then - assertEquals(allowedUsers.get("pasza").get(), "simplepassword"); - assertEquals(allowedUsers.get("someoneelse").get(), "simplepassword"); + assertEquals(allowedUsers.get("pasza").get(), "c2ltcGxlcGFzc3dvcmQNCg=="); + assertEquals(allowedUsers.get("someoneelse").get(), "c2ltcGxlcGFzc3dvcmQNCg=="); } @Test diff --git a/src/test/java/org/onap/dcae/TLSTest.java b/src/test/java/org/onap/dcae/TLSTest.java index 63099b7d..c73bb53b 100644 --- a/src/test/java/org/onap/dcae/TLSTest.java +++ b/src/test/java/org/onap/dcae/TLSTest.java @@ -113,7 +113,7 @@ public class TLSTest extends TLSTestBase { when(settings.keystoreFileLocation()).thenReturn(KEYSTORE.toString()); when(settings.keystorePasswordFileLocation()).thenReturn(KEYSTORE_PASSWORD_FILE.toString()); when(settings.authorizationEnabled()).thenReturn(true); - when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, PASSWORD)); + when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, "$2a$10$51tDgG2VNLde5E173Ay/YO.Fq.aD.LR2Rp8pY3QAKriOSPswvGviy")); } } diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java index cb4d334c..569fd969 100644 --- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java +++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java @@ -139,9 +139,9 @@ public class ApiAuthInterceptionTest { public void shouldSucceed() throws IOException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); - when(settings.authorizationEnabled()).thenReturn(true); - when(settings.validAuthorizationCredentials()).thenReturn(CREDENTIALS); + when(settings.validAuthorizationCredentials()).thenReturn( + HashMap.of(USERNAME, "$2a$10$BsZkEynNm/93wbAeeZuxJeu6IHRyQl4XReqDg2BtYOFDhUsz20.3G")); when(response.getWriter()).thenReturn(writer); // when |