From a6ffdd5cb52d61792dfe8e233620b34098a5fb37 Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Tue, 9 Apr 2019 15:32:52 +0200 Subject: Collector authentication enhancement Add cert subject verifier Change-Id: If2c3c0984e9eec63e2884ca17db953fff2719888 Issue-ID: DCAEGEN2-1101 Signed-off-by: Zlatko Murgoski --- .../dcae/common/configuration/CustomFilter.java | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 src/main/java/org/onap/dcae/common/configuration/CustomFilter.java (limited to 'src/main/java/org/onap/dcae/common/configuration/CustomFilter.java') diff --git a/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java b/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java new file mode 100644 index 00000000..ae693fa6 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java @@ -0,0 +1,83 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dcaegen2.collectors.ves + * ================================================================================ + * Copyright (C) 2019 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.regex.Pattern; +import java.util.stream.Collectors; +import java.util.stream.Stream; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.onap.dcae.ApplicationSettings; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.filter.GenericFilterBean; + +@Configuration +public class CustomFilter extends GenericFilterBean { + + private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate"; + private static final String MESSAGE = "SubjectDN didn't match with any regexp from %s file like %s"; + private ApplicationSettings properties; + + public CustomFilter(ApplicationSettings properties) { + this.properties = properties; + } + + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, + FilterChain filterChain) throws IOException, ServletException { + + X509Certificate[] cert = (X509Certificate[]) servletRequest.getAttribute(CERTIFICATE_X_509); + + if (cert != null) { + if (getLines().anyMatch(element -> Pattern.compile(element).matcher(getSubjectDN(cert)).find())) { + filterChain.doFilter(servletRequest, servletResponse); + } else { + setResponse((HttpServletResponse) servletResponse); + } + } else { + filterChain.doFilter(servletRequest, servletResponse); + } + } + + private void setResponse(HttpServletResponse servletResponse) throws IOException { + HttpServletResponse response = servletResponse; + response.sendError(HttpServletResponse.SC_FORBIDDEN, + String.format(MESSAGE, properties.certSubjectMatcher(), getLines().collect(Collectors.joining(" ")))); + } + + private Stream getLines() throws IOException { + return Files.lines(Paths.get(properties.certSubjectMatcher())); + } + + private String getSubjectDN(X509Certificate[] certs) { + return Arrays.stream(certs).map(e -> e.getSubjectDN().getName()) + .map(x -> x.split(",")).flatMap(Arrays::stream) + .collect(Collectors.joining(",")); + } +} -- cgit 1.2.3-korg