diff options
Diffstat (limited to 'src/main/java')
8 files changed, 46 insertions, 134 deletions
diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java index 7eb1b414..027b1895 100644 --- a/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java @@ -23,7 +23,7 @@ package org.onap.dcae.common.configuration; public enum AuthMethodType { - NO_AUTH("noAuth"),CERT_ONLY("certOnly"),CERT_BASIC_AUTH("certBasicAuth"),BASIC_AUTH("basicAuth"); + NO_AUTH("noAuth"),CERT_BASIC_AUTH("certBasicAuth"); private final String value; diff --git a/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java deleted file mode 100644 index c3730512..00000000 --- a/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PROJECT - * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.dcae.common.configuration; - -import org.onap.dcae.ApplicationSettings; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; - -public class BasicAuth implements AuthMethod { - - private static final Logger log = LoggerFactory.getLogger(BasicAuth.class); - private final ConfigurableServletWebServerFactory container; - private final ApplicationSettings properties; - - public BasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { - this.container = container; - this.properties = properties; - } - - @Override - public void configure() { - SslContextCreator sslContextCreator = new SslContextCreator(properties); - container.setPort(properties.httpsPort()); - container.setSsl(sslContextCreator.simpleHttpsContext()); - log.info(String.format("Application work in %s mode on %s port.", - properties.authMethod(), properties.httpsPort())); - } -} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java deleted file mode 100644 index 53031142..00000000 --- a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * PROJECT - * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 - 2019 Nokia. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.onap.dcae.common.configuration; - -import org.onap.dcae.ApplicationSettings; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.boot.web.server.Ssl.ClientAuth; -import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; - -public class CertAuth implements AuthMethod { - - private static final Logger log = LoggerFactory.getLogger(CertAuth.class); - private final ConfigurableServletWebServerFactory container; - private final ApplicationSettings properties; - - public CertAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { - this.container = container; - this.properties = properties; - } - - @Override - public void configure() { - SslContextCreator sslContextCreator = new SslContextCreator(properties); - container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.NEED)); - container.setPort(properties.httpsPort()); - log.info(String.format("Application work in %s mode on %s port.", - properties.authMethod(), properties.httpsPort())); - } -} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java index fa4a1b2d..73d69859 100644 --- a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java +++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java @@ -29,7 +29,7 @@ import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerF public class CertBasicAuth implements AuthMethod{ - private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private static final Logger log = LoggerFactory.getLogger(CertBasicAuth.class); private final ConfigurableServletWebServerFactory container; private final ApplicationSettings properties; diff --git a/src/main/java/org/onap/dcae/common/configuration/NoAuth.java b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java index a64749c0..c91ce04b 100644 --- a/src/main/java/org/onap/dcae/common/configuration/NoAuth.java +++ b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java @@ -51,9 +51,7 @@ public class NoAuth implements AuthMethod { } private boolean validateAuthMethod() { - return properties.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) - || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value()) - || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + return properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); } private void logContainerConfiguration(int port) { diff --git a/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java index f0e470be..75b0e6f9 100644 --- a/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java +++ b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java @@ -41,7 +41,7 @@ import org.springframework.boot.web.server.Ssl.ClientAuth; public class SslContextCreator { - private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private static final Logger log = LoggerFactory.getLogger(SslContextCreator.class); private final ApplicationSettings properties; public SslContextCreator(ApplicationSettings properties) { diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index a9281594..8c5fb82a 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -22,7 +22,9 @@ package org.onap.dcae.restapi; import io.vavr.control.Option; import java.io.IOException; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.Base64; +import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; @@ -53,10 +55,11 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException { - SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); + X509Certificate[] certificates = (X509Certificate[]) request.getAttribute(CERTIFICATE_X_509); + SubjectMatcher subjectMatcher = new SubjectMatcher(settings, certificates); - if(!settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) && request.getServerPort() == settings.httpPort() ){ - if(request.getRequestURI().replaceAll("^/|/$", "").equalsIgnoreCase("healthcheck")){ + if(isHttpPortCalledWithAuthTurnedOn(request)){ + if(isHealthcheckCalledFromInsideCluster(request)){ return true; } response.getWriter().write("Operation not permitted"); @@ -64,20 +67,33 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { return false; } - if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ - return validateCertRequest(response, subjectMatcher); - } - if(isCertSubject(subjectMatcher)){ + LOG.debug("Cert and subjectDN is valid. Subject: " + extractSubject(certificates)); return true; } - if (isBasicAuth() ) { + if (isBasicAuth()) { return validateBasicHeader(request, response); } return true; } + private String extractSubject(X509Certificate[] certs) { + return Arrays.stream(certs) + .map(e -> e.getSubjectDN().getName()) + .collect(Collectors.joining(",")); + } + + private boolean isHttpPortCalledWithAuthTurnedOn(HttpServletRequest request) { + return !settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) + && request.getLocalPort() == settings.httpPort(); + } + + private boolean isHealthcheckCalledFromInsideCluster(HttpServletRequest request) { + return request.getRequestURI().replaceAll("^/|/$", "").equalsIgnoreCase("healthcheck") + && request.getServerPort() == settings.httpPort(); + } + private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) throws IOException { String authorizationHeader = request.getHeader("Authorization"); @@ -87,24 +103,12 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { response.getWriter().write(ApiException.UNAUTHORIZED_USER.toJSON().toString()); return false; } - LOG.info("Request is authorized by basic auth"); - return true; - } - - private boolean validateCertRequest(HttpServletResponse response, SubjectMatcher subjectMatcher) - throws IOException { - if (!isCertSubject(subjectMatcher)) { - response.setStatus(HttpServletResponse.SC_FORBIDDEN); - response.getWriter().write(String.format(MESSAGE, settings.certSubjectMatcher())); - return false; - } - LOG.info("Cert and subjectDN is valid"); + LOG.debug("Request is authorized by basic auth. User: " + extractUser(decodeCredentials(authorizationHeader))); return true; } private boolean isCertSubject(SubjectMatcher subjectMatcher) { if(subjectMatcher.isCert() && subjectMatcher.match()){ - LOG.info("Cert and subjectDN is valid"); return true; } LOG.info(String.format(MESSAGE, settings.certSubjectMatcher())); @@ -112,16 +116,14 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { } private boolean isBasicAuth() { - return settings.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) - || settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + return settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); } private boolean isAuthorized(String authorizationHeader) { try { - String encodedData = authorizationHeader.split(" ")[1]; - String decodedData = new String(Base64.getDecoder().decode(encodedData)); - String providedUser = decodedData.split(":")[0].trim(); - String providedPassword = decodedData.split(":")[1].trim(); + String decodeCredentials = decodeCredentials(authorizationHeader); + String providedUser = extractUser(decodeCredentials); + String providedPassword = extractPassword(decodeCredentials); Option<String> maybeSavedPassword = settings.validAuthorizationCredentials().get(providedUser); boolean userRegistered = maybeSavedPassword.isDefined(); return userRegistered && cryptPassword.matches(providedPassword,maybeSavedPassword.get()); @@ -131,4 +133,17 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { return false; } } + + private String extractPassword(String decodeCredentials) { + return decodeCredentials.split(":")[1].trim(); + } + + private String extractUser(String decodeCredentials) { + return decodeCredentials.split(":")[0].trim(); + } + + private String decodeCredentials(String authorizationHeader) { + String encodedData = authorizationHeader.split(" ")[1]; + return new String(Base64.getDecoder().decode(encodedData)); + } }
\ No newline at end of file diff --git a/src/main/java/org/onap/dcae/restapi/ServletConfig.java b/src/main/java/org/onap/dcae/restapi/ServletConfig.java index e68ddcdf..9af3eed8 100644 --- a/src/main/java/org/onap/dcae/restapi/ServletConfig.java +++ b/src/main/java/org/onap/dcae/restapi/ServletConfig.java @@ -27,8 +27,6 @@ import org.onap.dcae.ApplicationException; import org.onap.dcae.ApplicationSettings; import org.onap.dcae.common.configuration.AuthMethod; import org.onap.dcae.common.configuration.AuthMethodType; -import org.onap.dcae.common.configuration.BasicAuth; -import org.onap.dcae.common.configuration.CertAuth; import org.onap.dcae.common.configuration.CertBasicAuth; import org.onap.dcae.common.configuration.NoAuth; import org.springframework.beans.factory.annotation.Autowired; @@ -50,8 +48,6 @@ public class ServletConfig implements WebServerFactoryCustomizer<ConfigurableSer private Map<String, AuthMethod> provideAuthConfigurations(ConfigurableServletWebServerFactory container) { Map<String, AuthMethod> authMethods = new HashMap<>(); - authMethods.put(AuthMethodType.CERT_ONLY.value(), new CertAuth(container, properties)); - authMethods.put(AuthMethodType.BASIC_AUTH.value(), new BasicAuth(container, properties)); authMethods.put(AuthMethodType.CERT_BASIC_AUTH.value(), new CertBasicAuth(container, properties)); authMethods.put(AuthMethodType.NO_AUTH.value(), new NoAuth(container, properties)); return authMethods; |