diff options
author | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-03-05 11:31:48 +0100 |
---|---|---|
committer | Zlatko Murgoski <zlatko.murgoski@nokia.com> | 2019-03-15 20:06:59 +0100 |
commit | 0f2c2039cd9d9b26482fc7488ae1bdf99f2544f5 (patch) | |
tree | 77bf8a43c44e5bb5ad991324f806b990f67edcee /src | |
parent | 4b8692b6fed457a9d194557abe681832fad4f576 (diff) |
Collector authentication enhancement
Collector authentication enhancement
Change-Id: I03a05cb83dd8c498fb218e82e9b3958348fbb4ac
Issue-ID: DCAEGEN2-1101
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
Diffstat (limited to 'src')
18 files changed, 470 insertions, 144 deletions
diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java index 7a2bff97..c4f2c063 100644 --- a/src/main/java/org/onap/dcae/ApplicationSettings.java +++ b/src/main/java/org/onap/dcae/ApplicationSettings.java @@ -43,6 +43,7 @@ import javax.annotation.Nullable; import org.apache.commons.configuration.ConfigurationException; import org.apache.commons.configuration.PropertiesConfiguration; import org.json.JSONObject; +import org.onap.dcae.common.configuration.AuthMethodType; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -119,10 +120,6 @@ public class ApplicationSettings { return properties.getInt("collector.schema.checkflag", -1) > 0; } - public boolean authorizationEnabled() { - return properties.getInt("header.authflag", 0) > 0; - } - public JsonSchema jsonSchema(String version) { return loadedJsonSchemas.get(version) .orElse(loadedJsonSchemas.get(FALLBACK_VES_VERSION)) @@ -175,10 +172,6 @@ public class ApplicationSettings { return prependWithUserDirOnRelative(properties.getString("collector.keystore.file.location", "etc/keystore")); } - public boolean clientTlsAuthenticationEnabled() { - return httpsEnabled() && properties.getInt("collector.service.secure.clientauth", 0) > 0; - } - public String truststorePasswordFileLocation() { return prependWithUserDirOnRelative(properties.getString("collector.truststore.passwordfile", "etc/trustpasswordfile")); } @@ -195,6 +188,10 @@ public class ApplicationSettings { return prependWithUserDirOnRelative(properties.getString("collector.dmaapfile", "etc/DmaapConfig.json")); } + public String authMethod(){ + return properties.getString("auth.method", AuthMethodType.NO_AUTH.value()); + } + public Map<String, String[]> dMaaPStreamsMapping() { String streamIdsProperty = properties.getString("collector.dmaap.streamid", null); if (streamIdsProperty == null) { diff --git a/src/main/java/org/onap/dcae/common/SSLContextCreator.java b/src/main/java/org/onap/dcae/common/SSLContextCreator.java index e636f4c0..898e5d55 100644 --- a/src/main/java/org/onap/dcae/common/SSLContextCreator.java +++ b/src/main/java/org/onap/dcae/common/SSLContextCreator.java @@ -22,6 +22,7 @@ package org.onap.dcae.common; import java.nio.file.Path; import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; public class SSLContextCreator { private final String keyStorePassword; @@ -31,6 +32,7 @@ public class SSLContextCreator { private Path trustStoreFile; private String trustStorePassword; private boolean hasTlsClientAuthentication = false; + private ClientAuth clientAuth; public static SSLContextCreator create(final Path keyStoreFile, final String certAlias, final String password) { return new SSLContextCreator(keyStoreFile, certAlias, password); @@ -42,8 +44,9 @@ public class SSLContextCreator { this.keyStorePassword = password; } - public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password) { - hasTlsClientAuthentication = true; + public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password, final ClientAuth clientAuth) { + this.clientAuth = clientAuth; + this.hasTlsClientAuthentication = true; this.trustStoreFile = trustStoreFile; this.trustStorePassword = password; @@ -62,7 +65,7 @@ public class SSLContextCreator { ssl.setTrustStore(trustStore); ssl.setTrustStorePassword(trustStorePassword); - ssl.setClientAuth(Ssl.ClientAuth.NEED); + ssl.setClientAuth(clientAuth); } public Ssl build() { @@ -74,7 +77,6 @@ public class SSLContextCreator { if (hasTlsClientAuthentication) { configureTrustStore(ssl); } - return ssl; } }
\ No newline at end of file diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java new file mode 100644 index 00000000..21614856 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java @@ -0,0 +1,26 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public interface AuthMethod { + void configure(); +} diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java new file mode 100644 index 00000000..7eb1b414 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java @@ -0,0 +1,37 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public enum AuthMethodType { + + NO_AUTH("noAuth"),CERT_ONLY("certOnly"),CERT_BASIC_AUTH("certBasicAuth"),BASIC_AUTH("basicAuth"); + + private final String value; + + AuthMethodType(String value) { + this.value = value; + } + + public String value() { + return value; + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java new file mode 100644 index 00000000..c3730512 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java @@ -0,0 +1,48 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class BasicAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(BasicAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public BasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.simpleHttpsContext()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java new file mode 100644 index 00000000..3c4fb62c --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java @@ -0,0 +1,49 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.NEED)); + container.setPort(properties.httpsPort()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java new file mode 100644 index 00000000..f756b47d --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java @@ -0,0 +1,50 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertBasicAuth implements AuthMethod{ + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertBasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.WANT)); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} + diff --git a/src/main/java/org/onap/dcae/common/configuration/NoAuth.java b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java new file mode 100644 index 00000000..a64749c0 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java @@ -0,0 +1,62 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class NoAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(NoAuth.class); + + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public NoAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + if (validateAuthMethod()){ + container.setPort(properties.httpsPort()); + logContainerConfiguration(properties.httpsPort()); + } + else { + container.setPort(properties.httpPort()); + logContainerConfiguration(properties.httpPort()); + } + } + + private boolean validateAuthMethod() { + return properties.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + } + + private void logContainerConfiguration(int port) { + log.info(String.format("Application work in %s mode on %s port.", properties.authMethod(), port)); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java new file mode 100644 index 00000000..f0e470be --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java @@ -0,0 +1,116 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import static java.nio.file.Files.readAllBytes; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import org.onap.dcae.ApplicationException; +import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.SSLContextCreator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; + +public class SslContextCreator { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ApplicationSettings properties; + + public SslContextCreator(ApplicationSettings properties) { + this.properties = properties; + } + + public Ssl httpsContextWithTlsAuthentication(ClientAuth clientAuth) { + final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder(); + + log.info("Enabling TLS client authorization"); + + final Path trustStore = toAbsolutePath(properties.truststoreFileLocation()); + log.info("Using trustStore path: " + trustStore); + + final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation()); + final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation); + log.info("Using trustStore password from: " + trustPasswordFileLocation); + + return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword, clientAuth).build(); + } + + public Ssl simpleHttpsContext(){ + return simpleHttpsContextBuilder().build(); + } + + private SSLContextCreator simpleHttpsContextBuilder() { + log.info("Enabling SSL"); + + final Path keyStorePath = toAbsolutePath(properties.keystoreFileLocation()); + log.info("Using keyStore path: " + keyStorePath); + + final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation()); + final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation); + log.info("Using keyStore password from: " + keyStorePasswordLocation); + return SSLContextCreator.create(keyStorePath, getKeyStoreAlias(keyStorePath, keyStorePassword), keyStorePassword); + } + + private String getKeyStoreAlias(Path keyStorePath, String keyStorePassword) { + KeyStore keyStore = getKeyStore(); + try(InputStream keyStoreData = new FileInputStream(keyStorePath.toString())){ + keyStore.load(keyStoreData, keyStorePassword.toCharArray()); + String alias = keyStore.aliases().nextElement(); + log.info("Actual key store alias is: " + alias); + return alias; + } catch (IOException | GeneralSecurityException ex) { + log.error("Cannot load Key Store alias cause: " + ex); + throw new ApplicationException(ex); + } + } + + private KeyStore getKeyStore() { + try { + return KeyStore.getInstance(KeyStore.getDefaultType()); + } catch (KeyStoreException ex) { + log.error("Cannot create Key Store instance cause: " + ex); + throw new ApplicationException(ex); + } + } + + private Path toAbsolutePath(final String path) { + return Paths.get(path).toAbsolutePath(); + } + + private String getKeyStorePassword(final Path location) { + try { + return new String(readAllBytes(location)); + } catch (IOException e) { + log.error("Could not read keystore password from: '" + location + "'.", e); + throw new ApplicationException(e); + } + } +} diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 3b76ae46..e2ac74c7 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -25,6 +25,7 @@ import java.util.Base64; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.configuration.AuthMethodType; import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,37 +35,51 @@ final class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); private final CryptPassword cryptPassword = new CryptPassword(); - private final ApplicationSettings applicationSettings; + private final ApplicationSettings settings; + private Logger errorLogger; - private Logger errorLog; - ApiAuthInterceptor(ApplicationSettings applicationSettings, Logger errorLog) { - this.applicationSettings = applicationSettings; - this.errorLog = errorLog; + public ApiAuthInterceptor(ApplicationSettings applicationSettings, Logger errorLogger) { + this.settings = applicationSettings; + this.errorLogger = errorLogger; } @Override - public boolean preHandle(HttpServletRequest request, HttpServletResponse response, - Object handler) throws IOException { - if (applicationSettings.authorizationEnabled()) { + public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) + throws IOException { + + if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value())){ + if (request.getAttribute("javax.servlet.request.X509Certificate") != null){ + LOG.info("Request is authorized by certificate "); + return true; + } + } + + if (isBasicAuth()) { String authorizationHeader = request.getHeader("Authorization"); if (authorizationHeader == null || !isAuthorized(authorizationHeader)) { - response.setStatus(400); - errorLog.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); + response.setStatus(401); + errorLogger.error("EVENT_RECEIPT_FAILURE: Unauthorized user"); response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); return false; } + LOG.info("Request is authorized by basic auth"); } return true; } + private boolean isBasicAuth() { + return settings.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) + || settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + } + private boolean isAuthorized(String authorizationHeader) { try { String encodedData = authorizationHeader.split(" ")[1]; String decodedData = new String(Base64.getDecoder().decode(encodedData)); String providedUser = decodedData.split(":")[0].trim(); String providedPassword = decodedData.split(":")[1].trim(); - Option<String> maybeSavedPassword = applicationSettings.validAuthorizationCredentials().get(providedUser); + Option<String> maybeSavedPassword = settings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); return userRegistered && cryptPassword.matches(providedPassword,maybeSavedPassword.get()); } catch (Exception e) { diff --git a/src/main/java/org/onap/dcae/restapi/ServletConfig.java b/src/main/java/org/onap/dcae/restapi/ServletConfig.java index e66f3f1f..e68ddcdf 100644 --- a/src/main/java/org/onap/dcae/restapi/ServletConfig.java +++ b/src/main/java/org/onap/dcae/restapi/ServletConfig.java @@ -21,23 +21,17 @@ package org.onap.dcae.restapi; -import static java.nio.file.Files.readAllBytes; - -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.KeyStoreException; +import java.util.HashMap; +import java.util.Map; import org.onap.dcae.ApplicationException; import org.onap.dcae.ApplicationSettings; -import org.onap.dcae.common.SSLContextCreator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.onap.dcae.common.configuration.AuthMethod; +import org.onap.dcae.common.configuration.AuthMethodType; +import org.onap.dcae.common.configuration.BasicAuth; +import org.onap.dcae.common.configuration.CertAuth; +import org.onap.dcae.common.configuration.CertBasicAuth; +import org.onap.dcae.common.configuration.NoAuth; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.web.server.Ssl; import org.springframework.boot.web.server.WebServerFactoryCustomizer; import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; import org.springframework.stereotype.Component; @@ -45,90 +39,28 @@ import org.springframework.stereotype.Component; @Component public class ServletConfig implements WebServerFactoryCustomizer<ConfigurableServletWebServerFactory> { - private static final Logger log = LoggerFactory.getLogger(ServletConfig.class); - @Autowired private ApplicationSettings properties; @Override public void customize(ConfigurableServletWebServerFactory container) { - final boolean hasClientTlsAuthentication = properties.clientTlsAuthenticationEnabled(); - if (hasClientTlsAuthentication || properties.authorizationEnabled()) { - container.setSsl(hasClientTlsAuthentication ? httpsContextWithTlsAuthentication() : simpleHttpsContext()); - int port = properties.httpsPort(); - container.setPort(port); - log.info("Application https port: " + port); - } else { - int port = properties.httpPort(); - container.setPort(port); - log.info("Application http port: " + port); - } - - } - - private SSLContextCreator simpleHttpsContextBuilder() { - log.info("Enabling SSL"); - - final Path keyStorePath = toAbsolutePath(properties.keystoreFileLocation()); - log.info("Using keyStore path: " + keyStorePath); - - final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation()); - final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation); - log.info("Using keyStore password from: " + keyStorePasswordLocation); - return SSLContextCreator.create(keyStorePath, getKeyStoreAlias(keyStorePath, keyStorePassword), keyStorePassword); - } - - private String getKeyStoreAlias(Path keyStorePath, String keyStorePassword) { - KeyStore keyStore = getKeyStore(); - try(InputStream keyStoreData = new FileInputStream(keyStorePath.toString())){ - keyStore.load(keyStoreData, keyStorePassword.toCharArray()); - String alias = keyStore.aliases().nextElement(); - log.info("Actual key store alias is: " + alias); - return alias; - } catch (IOException | GeneralSecurityException ex) { - log.error("Cannot load Key Store alias cause: " + ex); - throw new ApplicationException(ex); - } - } - - private KeyStore getKeyStore() { - try { - return KeyStore.getInstance(KeyStore.getDefaultType()); - } catch (KeyStoreException ex) { - log.error("Cannot create Key Store instance cause: " + ex); - throw new ApplicationException(ex); - } - } - - private Ssl simpleHttpsContext() { - return simpleHttpsContextBuilder().build(); - } - - private Ssl httpsContextWithTlsAuthentication() { - final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder(); - - log.info("Enabling TLS client authorization"); - - final Path trustStore = toAbsolutePath(properties.truststoreFileLocation()); - log.info("Using trustStore path: " + trustStore); - - final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation()); - final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation); - log.info("Using trustStore password from: " + trustPasswordFileLocation); - - return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword).build(); + provideAuthConfigurations(container).getOrDefault(properties.authMethod(), + notSupportedOperation()).configure(); } - private Path toAbsolutePath(final String path) { - return Paths.get(path).toAbsolutePath(); + private Map<String, AuthMethod> provideAuthConfigurations(ConfigurableServletWebServerFactory container) { + Map<String, AuthMethod> authMethods = new HashMap<>(); + authMethods.put(AuthMethodType.CERT_ONLY.value(), new CertAuth(container, properties)); + authMethods.put(AuthMethodType.BASIC_AUTH.value(), new BasicAuth(container, properties)); + authMethods.put(AuthMethodType.CERT_BASIC_AUTH.value(), new CertBasicAuth(container, properties)); + authMethods.put(AuthMethodType.NO_AUTH.value(), new NoAuth(container, properties)); + return authMethods; } - private String getKeyStorePassword(final Path location) { - try { - return new String(readAllBytes(location)); - } catch (IOException e) { - log.error("Could not read keystore password from: '" + location + "'.", e); - throw new ApplicationException(e); - } + private AuthMethod notSupportedOperation() { + return () -> { + throw new ApplicationException( + "Provided auth method not allowed: " + properties.authMethod()); + }; } }
\ No newline at end of file diff --git a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java index 646d3e52..60287aef 100644 --- a/src/test/java/org/onap/dcae/ApplicationSettingsTest.java +++ b/src/test/java/org/onap/dcae/ApplicationSettingsTest.java @@ -344,22 +344,12 @@ public class ApplicationSettingsTest { } @Test - public void shouldReturnIfAuthorizationIsEnabled() throws IOException { - // when - boolean authorizationEnabled = fromTemporaryConfiguration("header.authflag=1") - .authorizationEnabled(); - - // then - assertTrue(authorizationEnabled); - } - - @Test public void shouldAuthorizationBeDisabledByDefault() throws IOException { // when - boolean authorizationEnabled = fromTemporaryConfiguration().authorizationEnabled(); + boolean authorizationEnabled = fromTemporaryConfiguration().authMethod().contains("noAuth"); // then - assertFalse(authorizationEnabled); + assertTrue(authorizationEnabled); } @Test diff --git a/src/test/java/org/onap/dcae/TLSTest.java b/src/test/java/org/onap/dcae/TLSTest.java index e088df28..b1f90371 100644 --- a/src/test/java/org/onap/dcae/TLSTest.java +++ b/src/test/java/org/onap/dcae/TLSTest.java @@ -24,6 +24,7 @@ package org.onap.dcae; import io.vavr.collection.HashMap; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; +import org.onap.dcae.common.configuration.AuthMethodType; import org.springframework.context.annotation.Import; import org.springframework.http.HttpStatus; @@ -86,8 +87,8 @@ public class TLSTest extends TLSTestBase { class HttpsWithTLSAuthenticationAndBasicAuthTest extends TestClassBase { @Test - public void shouldHttpsRequestWithoutBasicAuthFail() { - assertThrows(Exception.class, this::makeHttpsRequestWithClientCert); + public void shouldHttpsRequestWithoutBasicAuthSucceed() { + assertEquals(HttpStatus.OK, makeHttpsRequestWithClientCert().getStatusCode()); } @Test @@ -100,6 +101,7 @@ public class TLSTest extends TLSTestBase { static class HttpConfiguration extends TLSTestBase.ConfigurationBase { @Override protected void configureSettings(ApplicationSettings settings) { + when(settings.authMethod()).thenReturn(AuthMethodType.NO_AUTH.value()); } } @@ -111,7 +113,7 @@ public class TLSTest extends TLSTestBase { protected void configureSettings(ApplicationSettings settings) { when(settings.keystoreFileLocation()).thenReturn(KEYSTORE.toString()); when(settings.keystorePasswordFileLocation()).thenReturn(KEYSTORE_PASSWORD_FILE.toString()); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); when(settings.validAuthorizationCredentials()).thenReturn(HashMap.of(USERNAME, "$2a$10$51tDgG2VNLde5E173Ay/YO.Fq.aD.LR2Rp8pY3QAKriOSPswvGviy")); } } @@ -120,8 +122,7 @@ public class TLSTest extends TLSTestBase { @Override protected void configureSettings(ApplicationSettings settings) { super.configureSettings(settings); - when(settings.authorizationEnabled()).thenReturn(false); - when(settings.clientTlsAuthenticationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.CERT_ONLY.value()); when(settings.truststoreFileLocation()).thenReturn(TRUSTSTORE.toString()); when(settings.truststorePasswordFileLocation()).thenReturn(TRUSTSTORE_PASSWORD_FILE.toString()); } @@ -131,7 +132,7 @@ public class TLSTest extends TLSTestBase { @Override protected void configureSettings(ApplicationSettings settings) { super.configureSettings(settings); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.CERT_BASIC_AUTH.value()); } } -} +}
\ No newline at end of file diff --git a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java index 569fd969..a295046b 100644 --- a/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java +++ b/src/test/java/org/onap/dcae/restapi/ApiAuthInterceptionTest.java @@ -28,6 +28,7 @@ import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.configuration.AuthMethodType; import org.slf4j.Logger; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; @@ -89,7 +90,7 @@ public class ApiAuthInterceptionTest { // given final HttpServletRequest request = createEmptyRequest(); - when(settings.authorizationEnabled()).thenReturn(false); + when(settings.authMethod()).thenReturn(AuthMethodType.NO_AUTH.value()); // when final boolean isAuthorized = sut.preHandle(request, response, obj); @@ -103,7 +104,7 @@ public class ApiAuthInterceptionTest { // given final HttpServletRequest request = createEmptyRequest(); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); when(response.getWriter()).thenReturn(writer); // when @@ -113,7 +114,7 @@ public class ApiAuthInterceptionTest { // then assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.BAD_REQUEST.value()); + verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @@ -122,7 +123,7 @@ public class ApiAuthInterceptionTest { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); when(response.getWriter()).thenReturn(writer); // when @@ -131,7 +132,7 @@ public class ApiAuthInterceptionTest { // then assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.BAD_REQUEST.value()); + verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } @@ -139,7 +140,7 @@ public class ApiAuthInterceptionTest { public void shouldSucceed() throws IOException { // given final HttpServletRequest request = createRequestWithAuthorizationHeader(); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.CERT_ONLY.value()); when(settings.validAuthorizationCredentials()).thenReturn( HashMap.of(USERNAME, "$2a$10$BsZkEynNm/93wbAeeZuxJeu6IHRyQl4XReqDg2BtYOFDhUsz20.3G")); when(response.getWriter()).thenReturn(writer); @@ -160,7 +161,7 @@ public class ApiAuthInterceptionTest { .header(HttpHeaders.AUTHORIZATION, "FooBar") .buildRequest(null); - when(settings.authorizationEnabled()).thenReturn(true); + when(settings.authMethod()).thenReturn(AuthMethodType.BASIC_AUTH.value()); when(settings.validAuthorizationCredentials()).thenReturn(CREDENTIALS); when(response.getWriter()).thenReturn(writer); @@ -170,7 +171,7 @@ public class ApiAuthInterceptionTest { // then assertFalse(isAuthorized); - verify(response).setStatus(HttpStatus.BAD_REQUEST.value()); + verify(response).setStatus(HttpStatus.UNAUTHORIZED.value()); verify(writer).write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); } } diff --git a/src/test/resources/controller-config_dmaap_ip.json b/src/test/resources/controller-config_dmaap_ip.json index f12a36fa..1cc6576b 100644 --- a/src/test/resources/controller-config_dmaap_ip.json +++ b/src/test/resources/controller-config_dmaap_ip.json @@ -1,5 +1,5 @@ { - "header.authflag": 1, + "auth.method": "noAuth", "collector.inputQueue.maxPending": 8096, "collector.schema.checkflag": 1, "collector.keystore.file.location": "/opt/app/dcae-certificate/keystore.jks", diff --git a/src/test/resources/controller-config_singleline_ip.json b/src/test/resources/controller-config_singleline_ip.json index 827138c7..c3a8d067 100644 --- a/src/test/resources/controller-config_singleline_ip.json +++ b/src/test/resources/controller-config_singleline_ip.json @@ -1,5 +1,5 @@ { - "header.authflag": "1", + "auth.method": "noAuth", "collector.schema.file": "{\"v1\": \"./etc/CommonEventFormat_27.2.json\", \"v2\": \"./etc/CommonEventFormat_27.2.json\", \"v3\": \"./etc/CommonEventFormat_27.2.json\", \"v4\": \"./etc/CommonEventFormat_27.2.json\", \"v5\": \"./etc/CommonEventFormat_28.4.json\"}", "collector.keystore.passwordfile": "/opt/app/dcae-certificate/.password", "tomcat.maxthreads": "200", diff --git a/src/test/resources/test_collector_ip_op.properties b/src/test/resources/test_collector_ip_op.properties index 1d1364bc..9450067a 100644 --- a/src/test/resources/test_collector_ip_op.properties +++ b/src/test/resources/test_collector_ip_op.properties @@ -6,7 +6,7 @@ collector.schema.checkflag=1 collector.schema.file={\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.json\"} collector.dmaap.streamid=fault=ves-fault,ves-fault-secondary|syslog=ves-syslog,ves-syslog-secondary|heartbeat=ves-heartbeat,ves-heartbeat-secondary|measurementsForVfScaling=ves-measurement,ves-measurement-secondary|mobileFlow=ves-mobileflow,ves-mobileflow-secondary|other=ves-other,ves-other-secondary|stateChange=ves-statechange,ves-statechange-secondary|thresholdCrossingAlert=ves-thresholdCrossingAlert,ves-thresholdCrossingAlert-secondary|voiceQuality=ves-voicequality,ves-voicequality-secondary|sipSignaling=ves-sipsignaling,ves-sipsignaling-secondary collector.dmaapfile=./etc/DmaapConfig.json -header.authflag=1 +auth.method=noAuth header.authlist=sample1,$2a$10$pgjaxDzSuc6XVFEeqvxQ5u90DKJnM/u7TJTcinAlFJVaavXMWf/Zi|userid1,$2a$10$61gNubgJJl9lh3nvQvY9X.x4e5ETWJJ7ao7ZhJEvmfJigov26Z6uq|userid2,$2a$10$G52y/3uhuhWAMy.bx9Se8uzWinmbJa.dlm1LW6bYPdPkkywLDPLiy event.transform.flag=1 collector.inputQueue.maxPending = 8096 diff --git a/src/test/resources/testcollector.properties b/src/test/resources/testcollector.properties index a99fd067..c3fcca62 100644 --- a/src/test/resources/testcollector.properties +++ b/src/test/resources/testcollector.properties @@ -6,7 +6,7 @@ collector.schema.checkflag=1 collector.schema.file={\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.json\"}
collector.dmaap.streamid=fault=sec_fault|syslog=sec_syslog|heartbeat=sec_heartbeat|measurementsForVfScaling=sec_measurement|mobileFlow=sec_mobileflow|other=sec_other|stateChange=sec_statechange|thresholdCrossingAlert=sec_thresholdCrossingAlert|voiceQuality=ves_voicequality|sipSignaling=ves_sipsignaling
collector.dmaapfile=./etc/DmaapConfig.json
-header.authflag=1
+auth.method=noAuth
header.authlist=sample1,$2a$10$pgjaxDzSuc6XVFEeqvxQ5u90DKJnM/u7TJTcinAlFJVaavXMWf/Zi|userid1,$2a$10$61gNubgJJl9lh3nvQvY9X.x4e5ETWJJ7ao7ZhJEvmfJigov26Z6uq|userid2,$2a$10$G52y/3uhuhWAMy.bx9Se8uzWinmbJa.dlm1LW6bYPdPkkywLDPLiy
event.transform.flag=1
|