From 124e11e9e7ea4652f8a538093ab48df9f575ce2a Mon Sep 17 00:00:00 2001 From: Zlatko Murgoski Date: Wed, 21 Aug 2019 11:14:04 +0200 Subject: Not Secured healtcheck https://jira.onap.org/browse/DCAEGEN2-1539 Issue-ID: DCAEGEN2-1539 Change-Id: I55c9387e64a5a6b710785ecbfa695683d821599a Signed-off-by: Zlatko Murgoski --- .../java/org/onap/dcae/ApplicationSettings.java | 1 - .../common/configuration/ApiConfiguration.java | 49 ++++++++++++++++++++ .../onap/dcae/common/configuration/CertAuth.java | 4 +- .../dcae/common/configuration/CertBasicAuth.java | 4 +- .../common/configuration/TomcatHttpConfig.java | 54 ++++++++++++++++++++++ .../org/onap/dcae/restapi/ApiAuthInterceptor.java | 44 +++++++++--------- .../java/org/onap/dcae/restapi/SwaggerConfig.java | 2 +- .../java/org/onap/dcae/restapi/WebMvcConfig.java | 4 +- 8 files changed, 128 insertions(+), 34 deletions(-) create mode 100644 src/main/java/org/onap/dcae/common/configuration/ApiConfiguration.java create mode 100644 src/main/java/org/onap/dcae/common/configuration/TomcatHttpConfig.java (limited to 'src/main/java/org/onap') diff --git a/src/main/java/org/onap/dcae/ApplicationSettings.java b/src/main/java/org/onap/dcae/ApplicationSettings.java index 205659c4..5164f878 100644 --- a/src/main/java/org/onap/dcae/ApplicationSettings.java +++ b/src/main/java/org/onap/dcae/ApplicationSettings.java @@ -74,7 +74,6 @@ public class ApplicationSettings { loadedJsonSchemas = loadJsonSchemas(); } - public void reloadProperties() { try { properties.load(configurationFileLocation); diff --git a/src/main/java/org/onap/dcae/common/configuration/ApiConfiguration.java b/src/main/java/org/onap/dcae/common/configuration/ApiConfiguration.java new file mode 100644 index 00000000..52e3a6de --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/ApiConfiguration.java @@ -0,0 +1,49 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dcaegen2.collectors.ves + * ================================================================================ + * Copyright (C) 2018 - 2019 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.onap.dcae.ApplicationSettings; +import org.onap.dcae.restapi.ApiAuthInterceptor; +import org.slf4j.Logger; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.servlet.config.annotation.EnableWebMvc; +import org.springframework.web.servlet.config.annotation.InterceptorRegistry; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; + +@Configuration +@EnableWebMvc +public class ApiConfiguration implements WebMvcConfigurer { + + private final ApplicationSettings applicationSettings; + private Logger errorLogger; + + @Autowired + ApiConfiguration(ApplicationSettings applicationSettings, Logger errorLogger) { + this.applicationSettings = applicationSettings; + this.errorLogger = errorLogger; + } + + @Override + public void addInterceptors(InterceptorRegistry registry) { + registry.addInterceptor(new ApiAuthInterceptor(applicationSettings, errorLogger)); + } +} diff --git a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java index 6bd924c3..53031142 100644 --- a/src/main/java/org/onap/dcae/common/configuration/CertAuth.java +++ b/src/main/java/org/onap/dcae/common/configuration/CertAuth.java @@ -3,7 +3,7 @@ * PROJECT * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s + * Copyright (C) 2018 - 2019 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,9 +26,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.boot.web.server.Ssl.ClientAuth; import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; -import org.springframework.context.annotation.Configuration; -@Configuration public class CertAuth implements AuthMethod { private static final Logger log = LoggerFactory.getLogger(CertAuth.class); diff --git a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java index 38d5ad5b..fa4a1b2d 100644 --- a/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java +++ b/src/main/java/org/onap/dcae/common/configuration/CertBasicAuth.java @@ -3,7 +3,7 @@ * PROJECT * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s + * Copyright (C) 2018 - 2019 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,9 +26,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.boot.web.server.Ssl.ClientAuth; import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory; -import org.springframework.context.annotation.Configuration; -@Configuration public class CertBasicAuth implements AuthMethod{ private static final Logger log = LoggerFactory.getLogger(CertAuth.class); diff --git a/src/main/java/org/onap/dcae/common/configuration/TomcatHttpConfig.java b/src/main/java/org/onap/dcae/common/configuration/TomcatHttpConfig.java new file mode 100644 index 00000000..4495f34b --- /dev/null +++ b/src/main/java/org/onap/dcae/common/configuration/TomcatHttpConfig.java @@ -0,0 +1,54 @@ +/* + * ============LICENSE_START======================================================= + * PROJECT + * ================================================================================ + * Copyright (C) 2019 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dcae.common.configuration; + +import org.apache.catalina.connector.Connector; +import org.onap.dcae.ApplicationSettings; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory; +import org.springframework.boot.web.servlet.server.ServletWebServerFactory; +import org.springframework.context.annotation.Bean; +import org.springframework.stereotype.Component; + +@Component +public class TomcatHttpConfig { + + @Autowired + private ApplicationSettings settings; + + @Bean + private ServletWebServerFactory servletContainer() { + + TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory(); + if(!(settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value())) && settings.httpsEnabled()){ + tomcat.addAdditionalTomcatConnectors(getHttpConnector()); + } + return tomcat; + } + + private Connector getHttpConnector() { + Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL); + connector.setScheme("http"); + connector.setPort(settings.httpPort()); + connector.setSecure(false); + return connector; + } +} diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index 9b387b84..a9281594 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * org.onap.dcaegen2.collectors.ves * ================================================================================ - * Copyright (C) 2018 Nokia. All rights reserved. + * Copyright (C) 2018 - 2019 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,11 +23,6 @@ import io.vavr.control.Option; import java.io.IOException; import java.security.cert.X509Certificate; import java.util.Base64; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.dcae.ApplicationSettings; @@ -37,9 +32,10 @@ import org.onap.dcaegen2.services.sdk.security.CryptPassword; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; +import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; @Component -public class ApiAuthInterceptor implements Filter { +public class ApiAuthInterceptor extends HandlerInterceptorAdapter { private static final Logger LOG = LoggerFactory.getLogger(ApiAuthInterceptor.class); private static final String CERTIFICATE_X_509 = "javax.servlet.request.X509Certificate"; @@ -53,32 +49,33 @@ public class ApiAuthInterceptor implements Filter { this.errorLogger = errorLogger; } - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) + throws IOException { + SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); - if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ - if( validateCertRequest((HttpServletResponse )response, subjectMatcher)){ - chain.doFilter(request, response); - return; + if(!settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) && request.getServerPort() == settings.httpPort() ){ + if(request.getRequestURI().replaceAll("^/|/$", "").equalsIgnoreCase("healthcheck")){ + return true; } - return; + response.getWriter().write("Operation not permitted"); + response.setStatus(400); + return false; + } + + if(settings.authMethod().equalsIgnoreCase(AuthMethodType.CERT_ONLY.value())){ + return validateCertRequest(response, subjectMatcher); } if(isCertSubject(subjectMatcher)){ - chain.doFilter(request, response); - return; + return true; } if (isBasicAuth() ) { - if(validateBasicHeader((HttpServletRequest)request, (HttpServletResponse)response)){ - chain.doFilter(request, response); - return; - } - return; + return validateBasicHeader(request, response); } - chain.doFilter(request, response); + return true; } private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) @@ -110,6 +107,7 @@ public class ApiAuthInterceptor implements Filter { LOG.info("Cert and subjectDN is valid"); return true; } + LOG.info(String.format(MESSAGE, settings.certSubjectMatcher())); return false; } @@ -129,7 +127,7 @@ public class ApiAuthInterceptor implements Filter { return userRegistered && cryptPassword.matches(providedPassword,maybeSavedPassword.get()); } catch (Exception e) { LOG.warn(String.format("Could not check if user is authorized (header: '%s')), probably malformed header.", - authorizationHeader), e); + authorizationHeader), e); return false; } } diff --git a/src/main/java/org/onap/dcae/restapi/SwaggerConfig.java b/src/main/java/org/onap/dcae/restapi/SwaggerConfig.java index 267db054..03432cf2 100644 --- a/src/main/java/org/onap/dcae/restapi/SwaggerConfig.java +++ b/src/main/java/org/onap/dcae/restapi/SwaggerConfig.java @@ -3,6 +3,7 @@ * PROJECT * ================================================================================ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2019 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,7 +29,6 @@ import springfox.documentation.spi.DocumentationType; import springfox.documentation.spring.web.plugins.Docket; import springfox.documentation.swagger2.annotations.EnableSwagger2; -@Configuration @EnableSwagger2 public class SwaggerConfig{ diff --git a/src/main/java/org/onap/dcae/restapi/WebMvcConfig.java b/src/main/java/org/onap/dcae/restapi/WebMvcConfig.java index c3e2a5de..c8dd7ba4 100644 --- a/src/main/java/org/onap/dcae/restapi/WebMvcConfig.java +++ b/src/main/java/org/onap/dcae/restapi/WebMvcConfig.java @@ -3,7 +3,7 @@ * PROJECT * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. - * Copyright (C) 2018 Nokia. All rights reserved.s + * Copyright (C) 2018 - 2019 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,12 +22,10 @@ package org.onap.dcae.restapi; import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport; import org.springframework.web.servlet.view.InternalResourceViewResolver; -@Configuration public class WebMvcConfig extends WebMvcConfigurationSupport { @Override -- cgit 1.2.3-korg