TLS mutual authentication has been added.

Change-Id: I60ebe8e1b06d72413940935396cb7a56af437c0d
Issue-ID: DCAEGEN2-959
Signed-off-by: ANDRZEJ SZUKUC <andrzej.szukuc@nokia.com>

4 files changed, 138 insertions, 15 deletions

diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java
index 189d4a9a..ead148c4 100644
--- a/src/main/java/org/onap/dcae/ApplicationSettings.java
+++ b/src/main/java/org/onap/dcae/ApplicationSettings.java
@@ -37,7 +37,6 @@ import org.apache.commons.configuration.PropertiesConfiguration;
 import org.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
 
 import javax.annotation.Nullable;
 import java.io.IOException;
@@ -167,10 +166,22 @@ public class ApplicationSettings {
         return prependWithUserDirOnRelative(properties.getString("collector.keystore.file.location", "etc/keystore"));
     }
 
+    public boolean clientTlsAuthenticationEnabled() {
+        return httpsEnabled() && properties.getInt("collector.service.secure.clientauth", 0) > 0;
+    }
+
     public String keystoreAlias() {
         return properties.getString("collector.keystore.alias", "tomcat");
     }
 
+    public String truststorePasswordFileLocation() {
+        return prependWithUserDirOnRelative(properties.getString("collector.truststore.passwordfile", "etc/trustpasswordfile"));
+    }
+
+    public String truststoreFileLocation() {
+        return prependWithUserDirOnRelative(properties.getString("collector.truststore.file.location", "etc/truststore"));
+    }
+
     public String exceptionConfigFileLocation() {
         return properties.getString("exceptionConfig", null);
     }
diff --git a/src/main/java/org/onap/dcae/commonFunction/SSLContextCreator.java b/src/main/java/org/onap/dcae/commonFunction/SSLContextCreator.java
new file mode 100644
index 00000000..29e974ef
--- /dev/null
+++ b/src/main/java/org/onap/dcae/commonFunction/SSLContextCreator.java
@@ -0,0 +1,82 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * PROJECT
+ * ================================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dcae.commonFunction;
+
+import org.springframework.boot.web.server.Ssl;
+
+import java.nio.file.Path;
+
+public class SSLContextCreator {
+    private final String keyStorePassword;
+    private final String certAlias;
+    private final Path keyStoreFile;
+
+    private Path trustStoreFile;
+    private String trustStorePassword;
+    private boolean hasTlsClientAuthentication = false;
+
+    public static SSLContextCreator create(final Path keyStoreFile, final String certAlias, final String password) {
+        return new SSLContextCreator(keyStoreFile, certAlias, password);
+    }
+
+    private SSLContextCreator(final Path keyStoreFile, final String certAlias, final String password) {
+        this.certAlias = certAlias;
+        this.keyStoreFile = keyStoreFile;
+        this.keyStorePassword = password;
+    }
+
+    public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password) {
+        hasTlsClientAuthentication = true;
+        this.trustStoreFile = trustStoreFile;
+        this.trustStorePassword = password;
+
+        return this;
+    }
+
+    private void configureKeyStore(final Ssl ssl) {
+        final String keyStore = keyStoreFile.toAbsolutePath().toString();
+
+        ssl.setKeyStore(keyStore);
+        ssl.setKeyPassword(keyStorePassword);
+        ssl.setKeyAlias(certAlias);
+    }
+
+    private void configureTrustStore(final Ssl ssl) {
+        final String trustStore = trustStoreFile.toAbsolutePath().toString();
+
+        ssl.setTrustStore(trustStore);
+        ssl.setTrustStorePassword(trustStorePassword);
+        ssl.setClientAuth(Ssl.ClientAuth.NEED);
+    }
+
+    public Ssl build() {
+        final Ssl ssl = new Ssl();
+        ssl.setEnabled(true);
+
+        configureKeyStore(ssl);
+
+        if (hasTlsClientAuthentication) {
+            configureTrustStore(ssl);
+        }
+
+        return ssl;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
index 85db81df..9ebb5394 100644
--- a/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
+++ b/src/main/java/org/onap/dcae/restapi/ApiConfiguration.java
@@ -25,9 +25,11 @@ import org.onap.dcae.ApplicationSettings;
 import org.slf4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+@EnableWebMvc
 @Configuration
 public class ApiConfiguration implements WebMvcConfigurer {
     private final ApplicationSettings applicationSettings;
diff --git a/src/main/java/org/onap/dcae/restapi/ServletConfig.java b/src/main/java/org/onap/dcae/restapi/ServletConfig.java
index 871904c6..49455e54 100644
--- a/src/main/java/org/onap/dcae/restapi/ServletConfig.java
+++ b/src/main/java/org/onap/dcae/restapi/ServletConfig.java
@@ -22,6 +22,7 @@
 package org.onap.dcae.restapi;
 
 import org.onap.dcae.ApplicationSettings;
+import org.onap.dcae.commonFunction.SSLContextCreator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -31,6 +32,7 @@ import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerF
 import org.springframework.stereotype.Component;
 
 import java.io.IOException;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 
 import static java.nio.file.Files.readAllBytes;
@@ -45,31 +47,57 @@ public class ServletConfig implements WebServerFactoryCustomizer<ConfigurableSer
 
     @Override
     public void customize(ConfigurableServletWebServerFactory container) {
-        if (properties.authorizationEnabled()) {
-            container.setSsl(createSSL());
+        final boolean hasClientTlsAuthentication = properties.clientTlsAuthenticationEnabled();
+
+        if (hasClientTlsAuthentication || properties.authorizationEnabled()) {
+            container.setSsl(hasClientTlsAuthentication ? httpsContextWithTlsAuthentication() : simpleHttpsContext());
             container.setPort(properties.httpsPort());
         } else {
             container.setPort(properties.httpPort());
         }
     }
 
-    private Ssl createSSL() {
+    private SSLContextCreator simpleHttpsContextBuilder() {
         log.info("Enabling SSL");
-        Ssl ssl = new Ssl();
-        ssl.setEnabled(true);
-        String keyStore = Paths.get(properties.keystoreFileLocation()).toAbsolutePath().toString();
+
+        final Path keyStore = toAbsolutePath(properties.keystoreFileLocation());
         log.info("Using keyStore path: " + keyStore);
-        ssl.setKeyStore(keyStore);
-        String keyPasswordFileLocation = Paths.get(properties.keystorePasswordFileLocation()).toAbsolutePath().toString();
-        log.info("Using keyStore password from: " + keyPasswordFileLocation);
-        ssl.setKeyPassword(getKeyStorePassword(keyPasswordFileLocation));
-        ssl.setKeyAlias(properties.keystoreAlias());
-        return ssl;
+
+        final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation());
+        final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation);
+        log.info("Using keyStore password from: " + keyStorePasswordLocation);
+
+        final String alias = properties.keystoreAlias();
+
+        return SSLContextCreator.create(keyStore, alias, keyStorePassword);
+    }
+
+    private Ssl simpleHttpsContext() {
+        return simpleHttpsContextBuilder().build();
+    }
+
+    private Ssl httpsContextWithTlsAuthentication() {
+        final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder();
+
+        log.info("Enabling TLS client authorization");
+
+        final Path trustStore = toAbsolutePath(properties.truststoreFileLocation());
+        log.info("Using trustStore path: " + trustStore);
+
+        final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation());
+        final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation);
+        log.info("Using trustStore password from: " + trustPasswordFileLocation);
+
+        return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword).build();
+    }
+
+    private Path toAbsolutePath(final String path) {
+        return Paths.get(path).toAbsolutePath();
     }
 
-    private String getKeyStorePassword(String location) {
+    private String getKeyStorePassword(final Path location) {
         try {
-            return new String(readAllBytes(Paths.get(location)));
+            return new String(readAllBytes(location));
         } catch (IOException e) {
             log.error("Could not read keystore password from: '" + location + "'.", e);
             throw new RuntimeException(e);