From a6ffdd5cb52d61792dfe8e233620b34098a5fb37 Mon Sep 17 00:00:00 2001
From: Zlatko Murgoski <zlatko.murgoski@nokia.com>
Date: Tue, 9 Apr 2019 15:32:52 +0200
Subject: Collector authentication enhancement

Add cert subject verifier

Change-Id: If2c3c0984e9eec63e2884ca17db953fff2719888
Issue-ID: DCAEGEN2-1101
Signed-off-by: Zlatko Murgoski <zlatko.murgoski@nokia.com>
---
 .../onap/dcae/common/configuration/CertAuth.java   | 31 +++++++-
 .../dcae/common/configuration/CertBasicAuth.java   | 31 +++++++-
 .../dcae/common/configuration/CustomFilter.java    | 83 ++++++++++++++++++++++
 3 files changed, 143 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/onap/dcae/common/configuration/CustomFilter.java

(limited to 'src/main/java/org/onap/dcae/common/configuration')

diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java
index 3c4fb62c..481fb5ec 100644
--- a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java
+++ b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java
@@ -21,13 +21,24 @@
 
 package org.onap.dcae.common.configuration;
 
+import org.onap.dcae.ApplicationException;
 import org.onap.dcae.ApplicationSettings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.web.server.Ssl.ClientAuth;
 import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 
-public class CertAuth implements AuthMethod {
+@Configuration
+@Order(0)
+@EnableWebSecurity
+public class CertAuth extends WebSecurityConfigurerAdapter implements AuthMethod {
 
   private static final Logger log = LoggerFactory.getLogger(CertAuth.class);
   private final ConfigurableServletWebServerFactory container;
@@ -38,6 +49,24 @@ public class CertAuth implements AuthMethod {
     this.properties = properties;
   }
 
+  @Override
+  public void configure(WebSecurity web) {
+    web.ignoring().anyRequest();
+  }
+
+  @Override
+  protected void configure(HttpSecurity http) {
+    try {
+      http.authorizeRequests()
+          .anyRequest().authenticated().and()
+          .addFilterBefore(new CustomFilter(properties), FilterSecurityInterceptor.class);
+
+    } catch (Exception ex) {
+      log.error("Cannot authorize request cause: ",ex);
+      throw new ApplicationException(ex);
+    }
+  }
+
   @Override
   public void configure() {
     SslContextCreator sslContextCreator = new SslContextCreator(properties);
diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java
index f756b47d..c9e0af41 100644
--- a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java
+++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java
@@ -21,13 +21,24 @@
 
 package org.onap.dcae.common.configuration;
 
+import org.onap.dcae.ApplicationException;
 import org.onap.dcae.ApplicationSettings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.web.server.Ssl.ClientAuth;
 import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 
-public class CertBasicAuth implements AuthMethod{
+@Configuration
+@Order(1)
+@EnableWebSecurity
+public class CertBasicAuth extends WebSecurityConfigurerAdapter implements AuthMethod{
 
   private static final Logger log = LoggerFactory.getLogger(CertAuth.class);
   private final ConfigurableServletWebServerFactory container;
@@ -38,6 +49,24 @@ public class CertBasicAuth implements AuthMethod{
     this.properties = properties;
   }
 
+  @Override
+  public void configure(WebSecurity web) {
+    web.ignoring().anyRequest();
+  }
+
+  @Override
+  protected void configure(HttpSecurity http) {
+    try {
+      http.authorizeRequests()
+          .anyRequest().authenticated().and()
+          .addFilterBefore(new CustomFilter(properties), FilterSecurityInterceptor.class);
+
+    } catch (Exception ex) {
+      log.error("Cannot authorize request cause: ",ex);
+      throw new ApplicationException(ex);
+    }
+  }
+
   @Override
   public void configure() {
     SslContextCreator sslContextCreator = new SslContextCreator(properties);
diff --git a/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java b/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java
new file mode 100644
index 00000000..ae693fa6
--- /dev/null
+++ b/src/main/java/org/onap/dcae/common/configuration/CustomFilter.java
@@ -0,0 +1,83 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dcaegen2.collectors.ves
+ * ================================================================================
+ * Copyright (C) 2019 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dcae.common.configuration;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.onap.dcae.ApplicationSettings;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.filter.GenericFilterBean;
+
+@Configuration
+public class CustomFilter extends GenericFilterBean {
+
+  private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate";
+  private static final String MESSAGE = "SubjectDN didn't match with any regexp from %s file like %s";
+  private ApplicationSettings properties;
+
+  public CustomFilter(ApplicationSettings properties) {
+    this.properties = properties;
+  }
+
+  @Override
+  public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
+      FilterChain filterChain) throws IOException, ServletException {
+
+    X509Certificate[] cert = (X509Certificate[]) servletRequest.getAttribute(CERTIFICATE_X_509);
+
+    if (cert != null) {
+      if (getLines().anyMatch(element -> Pattern.compile(element).matcher(getSubjectDN(cert)).find())) {
+        filterChain.doFilter(servletRequest, servletResponse);
+      } else {
+        setResponse((HttpServletResponse) servletResponse);
+      }
+    } else {
+      filterChain.doFilter(servletRequest, servletResponse);
+    }
+  }
+
+  private void setResponse(HttpServletResponse servletResponse) throws IOException {
+    HttpServletResponse response = servletResponse;
+    response.sendError(HttpServletResponse.SC_FORBIDDEN,
+        String.format(MESSAGE, properties.certSubjectMatcher(), getLines().collect(Collectors.joining(" "))));
+  }
+
+  private Stream<String> getLines() throws IOException {
+    return Files.lines(Paths.get(properties.certSubjectMatcher()));
+  }
+
+  private String getSubjectDN(X509Certificate[] certs) {
+    return Arrays.stream(certs).map(e -> e.getSubjectDN().getName())
+        .map(x -> x.split(",")).flatMap(Arrays::stream)
+        .collect(Collectors.joining(","));
+  }
+}
-- 
cgit 1.2.3-korg