aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZlatko Murgoski <zlatko.murgoski@nokia.com>2018-12-03 12:28:41 +0100
committerZlatko Murgoski <zlatko.murgoski@nokia.com>2018-12-07 14:50:10 +0100
commit27b6e6483e73e37a235b8160ad9a1c9f3f68d5ea (patch)
tree3d99f292f243d17eee2a47386950f198013a7c02
parent1afc93ddb4afc226562043822f6c5e9dc0ed4b2a (diff)
Remove clear text password
Change to SHA256 Change-Id: I1c41247cf4094523b61487cbce0030d585982b06 Issue-ID: DCAEGEN2-978 Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
-rw-r--r--README.md8
-rwxr-xr-xetc/collector.properties4
-rw-r--r--src/main/java/org/onap/dcae/ApplicationSettings.java6
-rw-r--r--src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java15
-rw-r--r--src/main/java/org/onap/dcae/restapi/ApiConfiguration.java1
-rw-r--r--src/test/java/org/onap/dcae/ApplicationSettingsTest.java4
-rw-r--r--src/test/java/org/onap/dcae/TLSTest.java2
-rw-r--r--src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java4
8 files changed, 28 insertions, 16 deletions
diff --git a/README.md b/README.md
index 09037680..f77ca227 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,14 @@ Run the image using docker-compose.yml
docker-compose up
```
+### Generate auth credential
+
+Util "crypt_password.py" to generate new cryptographic password is stored in dcaegen2/sdk
+
+```
+python crypt_password.py -p TestPassword
+```
+
### Environment variables in Docker Container
Most of the configuration of how VESCollector should be started and managed is done through environment variables.
Some of them are set during the image build process and some of them are defined manually or by
diff --git a/etc/collector.properties b/etc/collector.properties
index 475c49b0..d0c90695 100755
--- a/etc/collector.properties
+++ b/etc/collector.properties
@@ -60,9 +60,9 @@ collector.dmaapfile=./etc/DmaapConfig.json
## To disable enter 0
header.authflag=0
-## Combination of userid,base64 encoded pwd list to be supported
+## Combination of userid,hashPassword encoded pwd list to be supported
## userid and pwd comma separated; pipe delimitation between each pair
-header.authlist=sample1,c2FtcGxlMQ==
+header.authlist=sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6
## Event transformation Flag - when set expects configurable transformation
## defined under ./etc/eventTransform.json
diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java
index ead148c4..f140def2 100644
--- a/src/main/java/org/onap/dcae/ApplicationSettings.java
+++ b/src/main/java/org/onap/dcae/ApplicationSettings.java
@@ -90,8 +90,10 @@ public class ApplicationSettings {
}
private Map<String, String> prepareUsersMap(@Nullable String allowedUsers) {
- return allowedUsers == null ? HashMap.empty() : List.ofAll(stream(allowedUsers.split("\\|")))
- .toMap(t -> t.split(",")[0].trim(), t -> new String(Base64.getDecoder().decode(t.split(",")[1])).trim());
+ return allowedUsers == null ? HashMap.empty()
+ : List.of(allowedUsers.split("\\|"))
+ .map(t->t.split(","))
+ .toMap(t-> t[0].trim(), t -> t[1].trim());
}
private String findOutConfigurationFileLocation(Map<String, String> parsedArgs) {
diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
index 8061ec5a..6b5a64aa 100644
--- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
+++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java
@@ -20,19 +20,20 @@
package org.onap.dcae.restapi;
import io.vavr.control.Option;
+import java.io.IOException;
+import java.util.Base64;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.onap.dcae.ApplicationSettings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.Base64;
-
final class ApiAuthInterceptor extends HandlerInterceptorAdapter {
private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class);
+ private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
private final ApplicationSettings applicationSettings;
private Logger errorLog;
@@ -65,11 +66,11 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter {
String providedPassword = decodedData.split(":")[1].trim();
Option<String> maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser);
boolean userRegistered = maybeSavedPassword.isDefined();
- return userRegistered && maybeSavedPassword.get().equals(providedPassword);
+ return userRegistered && passwordEncoder.matches(providedPassword,maybeSavedPassword.get());
} catch (Exception e) {
LOG.warn(String.format("Could not check if user is authorized (header: '%s')), probably malformed header.",
authorizationHeader), e);
return false;
}
}
-}
+} \ No newline at end of file
diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
index 9ebb5394..c44e0d45 100644
--- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
+++ b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
@@ -32,6 +32,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@EnableWebMvc
@Configuration
public class ApiConfiguration implements WebMvcConfigurer {
+
private final ApplicationSettings applicationSettings;
private Logger errorLogger;
diff --git a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
index 55160ff5..0e91bc70 100644
--- a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
+++ b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java
@@ -389,8 +389,8 @@ public class ApplicationSettingsTest {
).validAuthorizationCredentials();
// then
- assertEquals(allowedUsers.get("pasza").get(), "simplepassword");
- assertEquals(allowedUsers.get("someoneelse").get(), "simplepassword");
+ assertEquals(allowedUsers.get("pasza").get(), "c2ltcGxlcGFzc3dvcmQNCg==");
+ assertEquals(allowedUsers.get("someoneelse").get(), "c2ltcGxlcGFzc3dvcmQNCg==");
}
@Test
diff --git a/src/test/java/org/onap/dcae/TLSTest.java b/src/test/java/org/onap/dcae/TLSTest.java
index 63099b7d..c73bb53b 100644
--- a/src/test/java/org/onap/dcae/TLSTest.java
+++ b/src/test/java/org/onap/dcae/TLSTest.java
@@ -113,7 +113,7 @@ public class TLSTest extends TLSTestBase {
when(settings.keystoreFileLocation()).thenReturn(KEYSTORE.toString());
when(settings.keystorePasswordFileLocation()).thenReturn(KEYSTORE_PASSWORD_FILE.toString());
when(settings.authorizationEnabled()).thenReturn(true);
- when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, PASSWORD));
+ when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, "$2a$10$51tDgG2VNLde5E173Ay/YO.Fq.aD.LR2Rp8pY3QAKriOSPswvGviy"));
}
}
diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
index cb4d334c..569fd969 100644
--- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
+++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java
@@ -139,9 +139,9 @@ public class ApiAuthInterceptionTest {
public void shouldSucceed() throws IOException {
// given
final HttpServletRequest request = createRequestWithAuthorizationHeader();
-
when(settings.authorizationEnabled()).thenReturn(true);
- when(settings.validAuthorizationCredentials()).thenReturn(CREDENTIALS);
+ when(settings.validAuthorizationCredentials()).thenReturn(
+ HashMap.of(USERNAME, "$2a$10$BsZkEynNm/93wbAeeZuxJeu6IHRyQl4XReqDg2BtYOFDhUsz20.3G"));
when(response.getWriter()).thenReturn(writer);
// when