From 0f2c2039cd9d9b26482fc7488ae1bdf99f2544f5 Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Tue, 5 Mar 2019 11:31:48 +0100 Subject: Collector authentication enhancement Collector authentication enhancement Change-Id: I03a05cb83dd8c498fb218e82e9b3958348fbb4ac Issue-ID: DCAEGEN2-1101 Signed-off-by: Zlatko Murgoski --- .../org/onap/dcae/common/SSLContextCreator.java | 10 +- .../onap/dcae/common/configuration/AuthMethod.java | 26 +++++ .../dcae/common/configuration/AuthMethodType.java | 37 +++++++ .../onap/dcae/common/configuration/BasicAuth.java | 48 +++++++++ .../onap/dcae/common/configuration/CertAuth.java | 49 +++++++++ .../dcae/common/configuration/CertBasicAuth.java | 50 +++++++++ .../org/onap/dcae/common/configuration/NoAuth.java | 62 +++++++++++ .../common/configuration/SslContextCreator.java | 116 +++++++++++++++++++++ 8 files changed, 394 insertions(+), 4 deletions(-) create mode 100644 src/main/java/org/onap/dcae/common/configuration/AuthMethod.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/BasicAuth.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/CertAuth.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/NoAuth.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java (limited to 'src/main/java/org/onap/dcae/common') diff --git a/src/main/java/org/onap/dcae/common/SSLContextCreator.java b/src/main/java/org/onap/dcae/common/SSLContextCreator.java index e636f4c0..898e5d55 100644 --- a/src/main/java/org/onap/dcae/common/SSLContextCreator.java +++ b/src/main/java/org/onap/dcae/common/SSLContextCreator.java @@ -22,6 +22,7 @@ package org.onap.dcae.common; import java.nio.file.Path; import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; public class SSLContextCreator { private final String keyStorePassword; @@ -31,6 +32,7 @@ public class SSLContextCreator { private Path trustStoreFile; private String trustStorePassword; private boolean hasTlsClientAuthentication = false; + private ClientAuth clientAuth; public static SSLContextCreator create(final Path keyStoreFile, final String certAlias, final String password) { return new SSLContextCreator(keyStoreFile, certAlias, password); @@ -42,8 +44,9 @@ public class SSLContextCreator { this.keyStorePassword = password; } - public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password) { - hasTlsClientAuthentication = true; + public SSLContextCreator withTlsClientAuthentication(final Path trustStoreFile, final String password, final ClientAuth clientAuth) { + this.clientAuth = clientAuth; + this.hasTlsClientAuthentication = true; this.trustStoreFile = trustStoreFile; this.trustStorePassword = password; @@ -62,7 +65,7 @@ public class SSLContextCreator { ssl.setTrustStore(trustStore); ssl.setTrustStorePassword(trustStorePassword); - ssl.setClientAuth(Ssl.ClientAuth.NEED); + ssl.setClientAuth(clientAuth); } public Ssl build() { @@ -74,7 +77,6 @@ public class SSLContextCreator { if (hasTlsClientAuthentication) { configureTrustStore(ssl); } - return ssl; } } \ No newline at end of file diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java new file mode 100644 index 00000000..21614856 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethod.java @@ -0,0 +1,26 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public interface AuthMethod { + void configure(); +} diff --git a/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java new file mode 100644 index 00000000..7eb1b414 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/AuthMethodType.java @@ -0,0 +1,37 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +public enum AuthMethodType { + + NO_AUTH("noAuth"),CERT_ONLY("certOnly"),CERT_BASIC_AUTH("certBasicAuth"),BASIC_AUTH("basicAuth"); + + private final String value; + + AuthMethodType(String value) { + this.value = value; + } + + public String value() { + return value; + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java new file mode 100644 index 00000000..c3730512 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/BasicAuth.java @@ -0,0 +1,48 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class BasicAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(BasicAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public BasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.simpleHttpsContext()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java new file mode 100644 index 00000000..3c4fb62c --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java @@ -0,0 +1,49 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.NEED)); + container.setPort(properties.httpsPort()); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java new file mode 100644 index 00000000..f756b47d --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java @@ -0,0 +1,50 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl.ClientAuth; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class CertBasicAuth implements AuthMethod{ + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public CertBasicAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + SslContextCreator sslContextCreator = new SslContextCreator(properties); + container.setPort(properties.httpsPort()); + container.setSsl(sslContextCreator.httpsContextWithTlsAuthentication(ClientAuth.WANT)); + log.info(String.format("Application work in %s mode on %s port.", + properties.authMethod(), properties.httpsPort())); + } +} + diff --git a/src/main/java/org/onap/dcae/common/configuration/NoAuth.java b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java new file mode 100644 index 00000000..a64749c0 --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/NoAuth.java @@ -0,0 +1,62 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; + +public class NoAuth implements AuthMethod { + + private static final Logger log = LoggerFactory.getLogger(NoAuth.class); + + private final ConfigurableServletWebServerFactory container; + private final ApplicationSettings properties; + + public NoAuth(ConfigurableServletWebServerFactory container, ApplicationSettings properties) { + this.container = container; + this.properties = properties; + } + + @Override + public void configure() { + if (validateAuthMethod()){ + container.setPort(properties.httpsPort()); + logContainerConfiguration(properties.httpsPort()); + } + else { + container.setPort(properties.httpPort()); + logContainerConfiguration(properties.httpPort()); + } + } + + private boolean validateAuthMethod() { + return properties.authMethod().equalsIgnoreCase(AuthMethodType.BASIC_AUTH.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value()) + || properties.authMethod().equalsIgnoreCase(AuthMethodType.CERT_BASIC_AUTH.value()); + } + + private void logContainerConfiguration(int port) { + log.info(String.format("Application work in %s mode on %s port.", properties.authMethod(), port)); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java new file mode 100644 index 00000000..f0e470be --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/SslContextCreator.java @@ -0,0 +1,116 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2018 Nokia. All rights reserved.s + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import static java.nio.file.Files.readAllBytes; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import org.onap.dcae.ApplicationException; +import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.common.SSLContextCreator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.web.server.Ssl; +import org.springframework.boot.web.server.Ssl.ClientAuth; + +public class SslContextCreator { + + private static final Logger log = LoggerFactory.getLogger(CertAuth.class); + private final ApplicationSettings properties; + + public SslContextCreator(ApplicationSettings properties) { + this.properties = properties; + } + + public Ssl httpsContextWithTlsAuthentication(ClientAuth clientAuth) { + final SSLContextCreator sslContextCreator = simpleHttpsContextBuilder(); + + log.info("Enabling TLS client authorization"); + + final Path trustStore = toAbsolutePath(properties.truststoreFileLocation()); + log.info("Using trustStore path: " + trustStore); + + final Path trustPasswordFileLocation = toAbsolutePath(properties.truststorePasswordFileLocation()); + final String trustStorePassword = getKeyStorePassword(trustPasswordFileLocation); + log.info("Using trustStore password from: " + trustPasswordFileLocation); + + return sslContextCreator.withTlsClientAuthentication(trustStore, trustStorePassword, clientAuth).build(); + } + + public Ssl simpleHttpsContext(){ + return simpleHttpsContextBuilder().build(); + } + + private SSLContextCreator simpleHttpsContextBuilder() { + log.info("Enabling SSL"); + + final Path keyStorePath = toAbsolutePath(properties.keystoreFileLocation()); + log.info("Using keyStore path: " + keyStorePath); + + final Path keyStorePasswordLocation = toAbsolutePath(properties.keystorePasswordFileLocation()); + final String keyStorePassword = getKeyStorePassword(keyStorePasswordLocation); + log.info("Using keyStore password from: " + keyStorePasswordLocation); + return SSLContextCreator.create(keyStorePath, getKeyStoreAlias(keyStorePath, keyStorePassword), keyStorePassword); + } + + private String getKeyStoreAlias(Path keyStorePath, String keyStorePassword) { + KeyStore keyStore = getKeyStore(); + try(InputStream keyStoreData = new FileInputStream(keyStorePath.toString())){ + keyStore.load(keyStoreData, keyStorePassword.toCharArray()); + String alias = keyStore.aliases().nextElement(); + log.info("Actual key store alias is: " + alias); + return alias; + } catch (IOException | GeneralSecurityException ex) { + log.error("Cannot load Key Store alias cause: " + ex); + throw new ApplicationException(ex); + } + } + + private KeyStore getKeyStore() { + try { + return KeyStore.getInstance(KeyStore.getDefaultType()); + } catch (KeyStoreException ex) { + log.error("Cannot create Key Store instance cause: " + ex); + throw new ApplicationException(ex); + } + } + + private Path toAbsolutePath(final String path) { + return Paths.get(path).toAbsolutePath(); + } + + private String getKeyStorePassword(final Path location) { + try { + return new String(readAllBytes(location)); + } catch (IOException e) { + log.error("Could not read keystore password from: '" + location + "'.", e); + throw new ApplicationException(e); + } + } +} -- cgit 1.2.3-korg