diff options
author | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-03-05 11:31:48 +0100 |
---|---|---|
committer | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-03-15 20:06:59 +0100 |
commit | 0f2c2039cd9d9b26482fc7488ae1bdf99f2544f5 (patch) | |
tree | 77bf8a43c44e5bb5ad991324f806b990f67edcee /src/main/java/org | |
parent | 4b8692b6fed457a9d194557abe681832fad4f576 (diff) |
Collector authentication enhancement
Collector authentication enhancement
Change-Id: I03a05cb83dd8c498fb218e82e9b3958348fbb4ac
Issue-ID: DCAEGEN2-1101
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
Diffstat (limited to 'src/main/java/org')
11 files changed, 447 insertions, 113 deletions
diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java index 7a2bff97..c4f2c063 100644 --- a/src/main/java/org/onap/dcae/ApplicationSettings.java +++ b/src/main/java/org/onap/dcae/ApplicationSettings.java @@ -43,6 +43,7 @@ import javax.annotation.Nullable; import org.apache.commons.configuration.ConfigurationException; import org.apache.commons.configuration.PropertiesConfiguration; import org.json.JSONObject; +import org.onap.dcae.common.configuration.AuthMethodType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -119,10 +120,6 @@ public class ApplicationSettings { return properties.getInt("collector.schema.checkflag", -1) > 0; } - public boolean authorizationEnabled() { - return properties.getInt("header.authflag", 0) > 0; - } - public JsonSchema jsonSchema(String version) { return loadedJsonSchemas.get(version) .orElse(loadedJsonSchemas.get(FALLBACK_VES_VERSION)) @@ -175,10 +172,6 @@ public class ApplicationSettings { return prependWithUserDirOnRelative(properties.getString("collector.keystore.file.location", "etc/keystore")); } - public boolean clientTlsAuthenticationEnabled() { - return httpsEnabled() && properties.getInt("collector.service.secure.clientauth", 0) > 0; - } - public String truststorePasswordFileLocation() { return prependWithUserDirOnRelative(properties.getString("collector.truststore.passwordfile", "etc/trustpasswordfile")); } @@ -195,6 +188,10 @@ public class ApplicationSettings { return prependWithUserDirOnRelative(properties.getString("collector.dmaapfile", "etc/DmaapConfig.json")); } + public String authMethod(){ + return properties.getString("auth.method", AuthMethodType.NO_AUTH.value()); + } + public Map<String, String[]> dMaaPStreamsMapping() { String streamIdsProperty = properties.getString("collector.dmaap.streamid", null); if (streamIdsProperty == null) { diff --git a/src/main/java/org/onap/dcae/common/SSLContextCreator.java b/src/main/java/org/onap/dcae/common/SSLContextCreator.java index e636f4c0..898e5d55 100644 --- a/src/main/java/org/onap/dcae/common/SSLContextCreator.java +++ b/src/main/java/org/onap/dcae/common/SSLContextCreator.java @@ -22,6 +22,7 @@ package org.onap.dcae.common; import java.nio.file.Path; import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; public class SSLContextCreator { private final String keyStorePassword; @@ -31,6 +32,7 @@ public class SSLContextCreator { private Path trustStoreFile; private String trustStorePassword; private boolean hasTlsClientAuthentication = false; + private ClientAuth clientAuth; public static SSLContextCreator create(final Path keyStoreFile, final String certAlias, final String password) { return new SSLContextCreator(keyStoreFile, certAlias, password); @@ -42,8 +44,9 @@ public class SSLContextCreator { this.keyStorePassword = password; } - public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password) { - hasTlsClientAuthentication = true; + public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password, final ClientAuth clientAuth) { + this.clientAuth = clientAuth; + this.hasTlsClientAuthentication = true; this.trustStoreFile = trustStoreFile; this.trustStorePassword = password; @@ -62,7 +65,7 @@ public class SSLContextCreator { ssl.setTrustStore(trustStore); ssl.setTrustStorePassword(trustStorePassword); - ssl.setClientAuth(Ssl.ClientAuth.NEED); + ssl.setClientAuth(clientAuth); } public Ssl build() { @@ -74,7 +77,6 @@ public class SSLContextCreator { if (hasTlsClientAuthentication) { configureTrustStore(ssl); } - return ssl; } }
\ No newline at end of file diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java new file mode 100644 index 00000000..21614856 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java @@ -0,0 +1,26 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public interface AuthMethod { + void configure(); +} diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java new file mode 100644 index 00000000..7eb1b414 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java @@ -0,0 +1,37 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public enum AuthMethodType { + + NO_AUTH("noAuth"),CERT_ONLY("certOnly"),CERT_BASIC_AUTH("certBasicAuth"),BASIC_AUTH("basicAuth"); + + private final String value; + + AuthMethodType(String value) { + this.value = value; + } + + public String value() { + return value; + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java new file mode 100644 index 00000000..c3730512 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java @@ -0,0 +1,48 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class BasicAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(BasicAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public BasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.simpleHttpsContext()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java new file mode 100644 index 00000000..3c4fb62c --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java @@ -0,0 +1,49 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.NEED)); + container.setPort(properties.httpsPort()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java new file mode 100644 index 00000000..f756b47d --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java @@ -0,0 +1,50 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertBasicAuth implements AuthMethod{ + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertBasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.WANT)); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} + diff --git a/src/main/java/org/onap/dcae/common/configuration/NoAuth.java b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java new file mode 100644 index 00000000..a64749c0 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java @@ -0,0 +1,62 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class NoAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(NoAuth.class); + + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public NoAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + if (validateAuthMethod()){ + container.setPort(properties.httpsPort()); + logContainerConfiguration(properties.httpsPort()); + } + else { + container.setPort(properties.httpPort()); + logContainerConfiguration(properties.httpPort()); + } + } + + private boolean validateAuthMethod() { + return properties.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + } + + private void logContainerConfiguration(int port) { + log.info(String.format("Application work in %s mode on %s port.", properties.authMethod(), port)); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java new file mode 100644 index 00000000..f0e470be --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java @@ -0,0 +1,116 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import static java.nio.file.Files.readAllBytes; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import org.onap.dcae.ApplicationException; +import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.SSLContextCreator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; + +public class SslContextCreator { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ApplicationSettings properties; + + public SslContextCreator(ApplicationSettings properties) { + this.properties = properties; + } + + public Ssl httpsContextWithTlsAuthentication(ClientAuth clientAuth) { + final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder(); + + log.info("Enabling TLS client authorization"); + + final Path trustStore = toAbsolutePath(properties.truststoreFileLocation()); + log.info("Using trustStore path: " + trustStore); + + final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation()); + final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation); + log.info("Using trustStore password from: " + trustPasswordFileLocation); + + return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword, clientAuth).build(); + } + + public Ssl simpleHttpsContext(){ + return simpleHttpsContextBuilder().build(); + } + + private SSLContextCreator simpleHttpsContextBuilder() { + log.info("Enabling SSL"); + + final Path keyStorePath = toAbsolutePath(properties.keystoreFileLocation()); + log.info("Using keyStore path: " + keyStorePath); + + final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation()); + final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation); + log.info("Using keyStore password from: " + keyStorePasswordLocation); + return SSLContextCreator.create(keyStorePath, getKeyStoreAlias(keyStorePath, keyStorePassword), keyStorePassword); + } + + private String getKeyStoreAlias(Path keyStorePath, String keyStorePassword) { + KeyStore keyStore = getKeyStore(); + try(InputStream keyStoreData = new FileInputStream(keyStorePath.toString())){ + keyStore.load(keyStoreData, keyStorePassword.toCharArray()); + String alias = keyStore.aliases().nextElement(); + log.info("Actual key store alias is: " + alias); + return alias; + } catch (IOException | GeneralSecurityException ex) { + log.error("Cannot load Key Store alias cause: " + ex); + throw new ApplicationException(ex); + } + } + + private KeyStore getKeyStore() { + try { + return KeyStore.getInstance(KeyStore.getDefaultType()); + } catch (KeyStoreException ex) { + log.error("Cannot create Key Store instance cause: " + ex); + throw new ApplicationException(ex); + } + } + + private Path toAbsolutePath(final String path) { + return Paths.get(path).toAbsolutePath(); + } + + private String getKeyStorePassword(final Path location) { + try { + return new String(readAllBytes(location)); + } catch (IOException e) { + log.error("Could not read keystore password from: '" + location + "'.", e); + throw new ApplicationException(e); + } + } +} diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 3b76ae46..e2ac74c7 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -25,6 +25,7 @@ import java.util.Base64; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.configuration.AuthMethodType; import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,37 +35,51 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); private final CryptPassword cryptPassword = new CryptPassword(); - private final ApplicationSettings applicationSettings; + private final ApplicationSettings settings; + private Logger errorLogger; - private Logger errorLog; - ApiAuthInterceptor(ApplicationSettings applicationSettings, Logger errorLog) { - this.applicationSettings = applicationSettings; - this.errorLog = errorLog; + public ApiAuthInterceptor(ApplicationSettings applicationSettings, Logger errorLogger) { + this.settings = applicationSettings; + this.errorLogger = errorLogger; } @Override - public boolean preHandle(HttpServletRequest request, HttpServletResponse response, - Object handler) throws IOException { - if (applicationSettings.authorizationEnabled()) { + public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) + throws IOException { + + if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value())){ + if (request.getAttribute("javax.servlet.request.X509Certificate") != null){ + LOG.info("Request is authorized by certificate "); + return true; + } + } + + if (isBasicAuth()) { String authorizationHeader = request.getHeader("Authorization"); if (authorizationHeader == null || !isAuthorized(authorizationHeader)) { - response.setStatus(400); - errorLog.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); + response.setStatus(401); + errorLogger.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); return false; } + LOG.info("Request is authorized by basic auth"); } return true; } + private boolean isBasicAuth() { + return settings.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) + || settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + } + private boolean isAuthorized(String authorizationHeader) { try { String encodedData = authorizationHeader.split(" ")[1]; String decodedData = new String(Base64.getDecoder().decode(encodedData)); String providedUser = decodedData.split(":")[0].trim(); String providedPassword = decodedData.split(":")[1].trim(); - Option<String> maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser); + Option<String> maybeSavedPassword = settings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); return userRegistered && cryptPassword.matches(providedPassword,maybeSavedPassword.get()); } catch (Exception e) { diff --git a/src/main/java/org/onap/dcae/restapi/ServletConfig.java b/src/main/java/org/onap/dcae/restapi/ServletConfig.java index e66f3f1f..e68ddcdf 100644 --- a/src/main/java/org/onap/dcae/restapi/ServletConfig.java +++ b/src/main/java/org/onap/dcae/restapi/ServletConfig.java @@ -21,23 +21,17 @@ package org.onap.dcae.restapi; -import static java.nio.file.Files.readAllBytes; - -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.KeyStoreException; +import java.util.HashMap; +import java.util.Map; import org.onap.dcae.ApplicationException; import org.onap.dcae.ApplicationSettings; -import org.onap.dcae.common.SSLContextCreator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.onap.dcae.common.configuration.AuthMethod; +import org.onap.dcae.common.configuration.AuthMethodType; +import org.onap.dcae.common.configuration.BasicAuth; +import org.onap.dcae.common.configuration.CertAuth; +import org.onap.dcae.common.configuration.CertBasicAuth; +import org.onap.dcae.common.configuration.NoAuth; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.web.server.Ssl; import org.springframework.boot.web.server.WebServerFactoryCustomizer; import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; import org.springframework.stereotype.Component; @@ -45,90 +39,28 @@ import org.springframework.stereotype.Component; @Component public class ServletConfig implements WebServerFactoryCustomizer<ConfigurableServletWebServerFactory> { - private static final Logger log = LoggerFactory.getLogger(ServletConfig.class); - @Autowired private ApplicationSettings properties; @Override public void customize(ConfigurableServletWebServerFactory container) { - final boolean hasClientTlsAuthentication = properties.clientTlsAuthenticationEnabled(); - if (hasClientTlsAuthentication || properties.authorizationEnabled()) { - container.setSsl(hasClientTlsAuthentication ? httpsContextWithTlsAuthentication() : simpleHttpsContext()); - int port = properties.httpsPort(); - container.setPort(port); - log.info("Application https port: " + port); - } else { - int port = properties.httpPort(); - container.setPort(port); - log.info("Application http port: " + port); - } - - } - - private SSLContextCreator simpleHttpsContextBuilder() { - log.info("Enabling SSL"); - - final Path keyStorePath = toAbsolutePath(properties.keystoreFileLocation()); - log.info("Using keyStore path: " + keyStorePath); - - final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation()); - final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation); - log.info("Using keyStore password from: " + keyStorePasswordLocation); - return SSLContextCreator.create(keyStorePath, getKeyStoreAlias(keyStorePath, keyStorePassword), keyStorePassword); - } - - private String getKeyStoreAlias(Path keyStorePath, String keyStorePassword) { - KeyStore keyStore = getKeyStore(); - try(InputStream keyStoreData = new FileInputStream(keyStorePath.toString())){ - keyStore.load(keyStoreData, keyStorePassword.toCharArray()); - String alias = keyStore.aliases().nextElement(); - log.info("Actual key store alias is: " + alias); - return alias; - } catch (IOException | GeneralSecurityException ex) { - log.error("Cannot load Key Store alias cause: " + ex); - throw new ApplicationException(ex); - } - } - - private KeyStore getKeyStore() { - try { - return KeyStore.getInstance(KeyStore.getDefaultType()); - } catch (KeyStoreException ex) { - log.error("Cannot create Key Store instance cause: " + ex); - throw new ApplicationException(ex); - } - } - - private Ssl simpleHttpsContext() { - return simpleHttpsContextBuilder().build(); - } - - private Ssl httpsContextWithTlsAuthentication() { - final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder(); - - log.info("Enabling TLS client authorization"); - - final Path trustStore = toAbsolutePath(properties.truststoreFileLocation()); - log.info("Using trustStore path: " + trustStore); - - final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation()); - final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation); - log.info("Using trustStore password from: " + trustPasswordFileLocation); - - return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword).build(); + provideAuthConfigurations(container).getOrDefault(properties.authMethod(), + notSupportedOperation()).configure(); } - private Path toAbsolutePath(final String path) { - return Paths.get(path).toAbsolutePath(); + private Map<String, AuthMethod> provideAuthConfigurations(ConfigurableServletWebServerFactory container) { + Map<String, AuthMethod> authMethods = new HashMap<>(); + authMethods.put(AuthMethodType.CERT_ONLY.value(), new CertAuth(container, properties)); + authMethods.put(AuthMethodType.BASIC_AUTH.value(), new BasicAuth(container, properties)); + authMethods.put(AuthMethodType.CERT_BASIC_AUTH.value(), new CertBasicAuth(container, properties)); + authMethods.put(AuthMethodType.NO_AUTH.value(), new NoAuth(container, properties)); + return authMethods; } - private String getKeyStorePassword(final Path location) { - try { - return new String(readAllBytes(location)); - } catch (IOException e) { - log.error("Could not read keystore password from: '" + location + "'.", e); - throw new ApplicationException(e); - } + private AuthMethod notSupportedOperation() { + return () -> { + throw new ApplicationException( + "Provided auth method not allowed: " + properties.authMethod()); + }; } }
\ No newline at end of file |