diff options
author | david.mcweeney <david.mcweeney@est.tech> | 2022-03-16 16:08:44 +0000 |
---|---|---|
committer | david.mcweeney <david.mcweeney@est.tech> | 2022-04-04 16:27:53 +0100 |
commit | d70c2ca145d2b3eac7ed6a4f16d41e322962cf59 (patch) | |
tree | a71e61d38753a5b258b103f56a5ac3b19c6325eb | |
parent | 9602193f94e88e8d82936ba36fc20203227a4eec (diff) |
DMAAP-1714 - DR Making TLS Configurable
Change-Id: I0c3bc05182691c12c9d0f0b76d09f7dfea3e09eb
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Issue-ID: DMAAP-1714
14 files changed, 134 insertions, 47 deletions
diff --git a/csit/scripts/dmaap-datarouter/docker-compose/node.properties b/csit/scripts/dmaap-datarouter/docker-compose/node.properties index 58639cfd..9f3ca40d 100644 --- a/csit/scripts/dmaap-datarouter/docker-compose/node.properties +++ b/csit/scripts/dmaap-datarouter/docker-compose/node.properties @@ -80,3 +80,6 @@ CadiEnabled = false # # AAF Props file path AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props + +# https security required for publish request +TlsEnabled = true diff --git a/csit/scripts/dmaap-datarouter/docker-compose/provserver.properties b/csit/scripts/dmaap-datarouter/docker-compose/provserver.properties index b54868e2..b38c3f56 100755 --- a/csit/scripts/dmaap-datarouter/docker-compose/provserver.properties +++ b/csit/scripts/dmaap-datarouter/docker-compose/provserver.properties @@ -52,4 +52,7 @@ org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.fe org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub org.onap.dmaap.datarouter.provserver.aaf.instance = legacy org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish -org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe
\ No newline at end of file +org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe +org.onap.dmaap.datarouter.provserver.tlsenabled = true +org.onap.dmaap.datarouter.nodeserver.https.port = 8443 +org.onap.dmaap.datarouter.nodeserver.http.port = 8080
\ No newline at end of file diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeConfigManager.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeConfigManager.java index 5b5245da..3b950232 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeConfigManager.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeConfigManager.java @@ -102,6 +102,7 @@ public class NodeConfigManager implements DeliveryQueueHelper { private String aafType; private String aafInstance; private String aafAction; + private boolean tlsEnabled; private boolean cadiEnabled; private NodeAafPropsUtils nodeAafPropsUtils; @@ -159,6 +160,8 @@ public class NodeConfigManager implements DeliveryQueueHelper { svcport = Integer.parseInt(drNodeProperties.getProperty("IntHttpsPort", "8443")); port = Integer.parseInt(drNodeProperties.getProperty("ExtHttpsPort", "443")); spooldir = drNodeProperties.getProperty("SpoolDir", "spool"); + tlsEnabled = Boolean.parseBoolean(drNodeProperties.getProperty("TlsEnabled", "true")); + File fdir = new File(spooldir + "/f"); fdir.mkdirs(); for (File junk : Objects.requireNonNull(fdir.listFiles())) { @@ -811,6 +814,10 @@ public class NodeConfigManager implements DeliveryQueueHelper { return aafAction; } + protected boolean isTlsEnabled() { + return tlsEnabled; + } + boolean getCadiEnabled() { return cadiEnabled; } diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java index 139c7492..ee1f5b7d 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java @@ -549,7 +549,7 @@ public class NodeServlet extends HttpServlet { eelfLogger.info(EelfMsgs.EXIT); return null; } - if (!req.isSecure()) { + if (!req.isSecure() && config.isTlsEnabled()) { eelfLogger.error( "NODE0104 Rejecting insecure PUT or DELETE of " + req.getPathInfo() + FROM + req .getRemoteAddr()); diff --git a/datarouter-node/src/main/resources/node.properties b/datarouter-node/src/main/resources/node.properties index 1d7a5d42..f7c24fab 100644 --- a/datarouter-node/src/main/resources/node.properties +++ b/datarouter-node/src/main/resources/node.properties @@ -85,3 +85,6 @@ CadiEnabled = false # # AAF Props file path AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props + +# https security required for publish request +TlsEnabled = true diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeConfigManagerTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeConfigManagerTest.java index e64579ed..82038fba 100644 --- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeConfigManagerTest.java +++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeConfigManagerTest.java @@ -112,6 +112,7 @@ public class NodeConfigManagerTest { Assert.assertEquals("publish", nodeConfigManager.getAafAction()); Assert.assertFalse(nodeConfigManager.getCadiEnabled()); Assert.assertFalse(nodeConfigManager.isShutdown()); + Assert.assertTrue(nodeConfigManager.isTlsEnabled()); Assert.assertTrue(nodeConfigManager.isConfigured()); Assert.assertEquals("legacy", nodeConfigManager.getAafInstance("1")); Assert.assertNotNull(nodeConfigManager.getPublishId()); diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java index 4340b018..f7e3d7c8 100644 --- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java +++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java @@ -23,7 +23,6 @@ package org.onap.dmaap.datarouter.node; import static org.junit.Assert.assertEquals; -import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyObject; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.anyString; @@ -144,8 +143,9 @@ public class NodeServletTest { } @Test - public void Given_Request_Is_HTTP_PUT_And_Request_Is_Not_Secure_Then_Forbidden_Response_Is_Generated() throws Exception { + public void Given_Request_Is_HTTP_PUT_And_Request_Is_Not_Secure_And_TLS_Enabled_Then_Forbidden_Response_Is_Generated() throws Exception { when(request.isSecure()).thenReturn(false); + when(config.isTlsEnabled()).thenReturn(true); nodeServlet.doPut(request, response); verify(response).sendError(eq(HttpServletResponse.SC_FORBIDDEN), anyString()); verifyEnteringExitCalled(listAppender); @@ -285,6 +285,17 @@ public class NodeServletTest { } @Test + public void Given_Request_Is_HTTP_DELETE_File_And_Request_Is_Not_Secure_But_TLS_Disabled_Then_Request_Succeeds() throws Exception { + when(request.isSecure()).thenReturn(false); + when(config.isTlsEnabled()).thenReturn(false); + when(request.getPathInfo()).thenReturn("/delete/1/dmaap-dr-node.1234567"); + createFilesAndDirectories(); + nodeServlet.doDelete(request, response); + verify(response).setStatus(eq(HttpServletResponse.SC_OK)); + verifyEnteringExitCalled(listAppender); + } + + @Test public void Given_Request_Is_HTTP_DELETE_File_And_File_Does_Not_Exist_Then_Not_Found_Response_Is_Generated() throws IOException { when(request.getPathInfo()).thenReturn("/delete/1/nonExistingFile"); nodeServlet.doDelete(request, response); diff --git a/datarouter-node/src/test/resources/node_test.properties b/datarouter-node/src/test/resources/node_test.properties index 9359e8dc..3c96ed25 100644 --- a/datarouter-node/src/test/resources/node_test.properties +++ b/datarouter-node/src/test/resources/node_test.properties @@ -86,3 +86,6 @@ CadiEnabled = false # AAF Props file path AAFPropsFilePath = src/test/resources/aaf/org.onap.dmaap-dr.props +# https security required for publish request +TlsEnabled = true + diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/PublishServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/PublishServlet.java index 35205aa9..949019d1 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/PublishServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/PublishServlet.java @@ -45,6 +45,7 @@ import org.onap.dmaap.datarouter.provisioning.utils.Poker; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.IngressRoute;
import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
+import org.onap.dmaap.datarouter.provisioning.utils.URLUtilities;
/**
* This servlet handles redirects for the <publishURL> on the provisioning server, which is generated by the
@@ -158,9 +159,15 @@ public class PublishServlet extends BaseServlet { } else {
// Generate new URL
String nextnode = getRedirectNode(feedid, req);
- nextnode = nextnode + ":" + ProvRunner.getProvProperties().getProperty(
- "org.onap.dmaap.datarouter.provserver.https.port", "8443");
- String newurl = "https://" + nextnode + "/publish" + req.getPathInfo();
+ if (Boolean.parseBoolean(ProvRunner.getProvProperties()
+ .getProperty("org.onap.dmaap.datarouter.provserver.tlsenabled", "true"))) {
+ nextnode = nextnode + ":" + ProvRunner.getProvProperties().getProperty(
+ "org.onap.dmaap.datarouter.nodeserver.https.port", "8443");
+ } else {
+ nextnode = nextnode + ":" + ProvRunner.getProvProperties().getProperty(
+ "org.onap.dmaap.datarouter.nodeserver.http.port", "8080");
+ }
+ String newurl = URLUtilities.getUrlSecurityOption() + nextnode + "/publish" + req.getPathInfo();
String qs = req.getQueryString();
if (qs != null) {
newurl += "?" + qs;
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java index 2e000027..988b576f 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java @@ -28,8 +28,8 @@ import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
-
import org.onap.dmaap.datarouter.provisioning.BaseServlet;
+import org.onap.dmaap.datarouter.provisioning.ProvRunner;
/**
* Utility functions used to generate the different URLs used by the Data Router.
@@ -39,9 +39,7 @@ import org.onap.dmaap.datarouter.provisioning.BaseServlet; */
public class URLUtilities {
-
private static final EELFLogger utilsLogger = EELFManager.getInstance().getLogger("UtilsLog");
- private static final String HTTPS = "https://";
private static String otherPod;
private URLUtilities() {
@@ -54,7 +52,7 @@ public class URLUtilities { * @return the URL
*/
public static String generateFeedURL(int feedid) {
- return HTTPS + BaseServlet.getProvName() + "/feed/" + feedid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/feed/" + feedid;
}
/**
@@ -64,7 +62,7 @@ public class URLUtilities { * @return the URL
*/
public static String generatePublishURL(int feedid) {
- return HTTPS + BaseServlet.getProvName() + "/publish/" + feedid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/publish/" + feedid;
}
/**
@@ -74,7 +72,7 @@ public class URLUtilities { * @return the URL
*/
public static String generateSubscribeURL(int feedid) {
- return HTTPS + BaseServlet.getProvName() + "/subscribe/" + feedid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/subscribe/" + feedid;
}
/**
@@ -84,7 +82,7 @@ public class URLUtilities { * @return the URL
*/
public static String generateFeedLogURL(int feedid) {
- return HTTPS + BaseServlet.getProvName() + "/feedlog/" + feedid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/feedlog/" + feedid;
}
/**
@@ -94,7 +92,7 @@ public class URLUtilities { * @return the URL
*/
public static String generateSubscriptionURL(int subid) {
- return HTTPS + BaseServlet.getProvName() + "/subs/" + subid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/subs/" + subid;
}
/**
@@ -104,7 +102,7 @@ public class URLUtilities { * @return the URL
*/
public static String generateSubLogURL(int subid) {
- return HTTPS + BaseServlet.getProvName() + "/sublog/" + subid;
+ return getUrlSecurityOption() + BaseServlet.getProvName() + getAppropriateUrlPort() + "/sublog/" + subid;
}
/**
@@ -113,7 +111,7 @@ public class URLUtilities { * @return the URL
*/
public static String generatePeerProvURL() {
- return HTTPS + getPeerPodName() + "/internal/prov";
+ return getUrlSecurityOption() + getPeerPodName() + getAppropriateUrlPort() + "/internal/prov";
}
/**
@@ -128,7 +126,7 @@ public class URLUtilities { return "";
}
- return HTTPS + peerPodUrl + "/internal/drlogs/";
+ return getUrlSecurityOption() + peerPodUrl + getAppropriateUrlPort() + "/internal/drlogs/";
}
/**
@@ -154,4 +152,21 @@ public class URLUtilities { return otherPod;
}
+ public static String getUrlSecurityOption() {
+ if (Boolean.parseBoolean(ProvRunner.getProvProperties()
+ .getProperty("org.onap.dmaap.datarouter.provserver.tlsenabled", "true"))) {
+ return "https://";
+ }
+ return "http://";
+ }
+
+ private static String getAppropriateUrlPort() {
+ if (Boolean.parseBoolean(ProvRunner.getProvProperties()
+ .getProperty("org.onap.dmaap.datarouter.provserver.tlsenabled", "true")))
+ return "";
+
+ return ":" + ProvRunner.getProvProperties()
+ .getProperty("org.onap.dmaap.datarouter.provserver.http.port", "8080");
+
+ }
}
diff --git a/datarouter-prov/src/main/resources/provserver.properties b/datarouter-prov/src/main/resources/provserver.properties index ad9a19e3..642088ff 100755 --- a/datarouter-prov/src/main/resources/provserver.properties +++ b/datarouter-prov/src/main/resources/provserver.properties @@ -56,4 +56,8 @@ org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.fe org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub org.onap.dmaap.datarouter.provserver.aaf.instance = legacy org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish -org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe
\ No newline at end of file +org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe + +org.onap.dmaap.datarouter.provserver.tlsenabled = true +org.onap.dmaap.datarouter.nodeserver.https.port = 8443 +org.onap.dmaap.datarouter.nodeserver.http.port = 8080
\ No newline at end of file diff --git a/datarouter-prov/src/test/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServletTest.java b/datarouter-prov/src/test/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServletTest.java index d644df9a..1f4fd535 100755 --- a/datarouter-prov/src/test/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServletTest.java +++ b/datarouter-prov/src/test/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServletTest.java @@ -22,9 +22,27 @@ ******************************************************************************/ package org.onap.dmaap.datarouter.provisioning; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.contains; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; +import static org.onap.dmaap.datarouter.provisioning.BaseServlet.BEHALF_HEADER; + import ch.qos.logback.classic.spi.ILoggingEvent; import ch.qos.logback.core.read.ListAppender; import java.sql.Connection; +import java.sql.SQLException; +import java.util.HashSet; +import java.util.Set; +import javax.persistence.EntityManager; +import javax.persistence.EntityManagerFactory; +import javax.persistence.Persistence; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletOutputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.reflect.FieldUtils; import org.jetbrains.annotations.NotNull; import org.json.JSONObject; @@ -45,25 +63,6 @@ import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils; import org.powermock.core.classloader.annotations.PowerMockIgnore; import org.powermock.modules.junit4.PowerMockRunner; -import javax.persistence.EntityManager; -import javax.persistence.EntityManagerFactory; -import javax.persistence.Persistence; -import javax.servlet.ServletInputStream; -import javax.servlet.ServletOutputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.sql.SQLException; -import java.util.HashSet; -import java.util.Set; - -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.ArgumentMatchers.contains; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; -import static org.onap.dmaap.datarouter.provisioning.BaseServlet.BEHALF_HEADER; - @RunWith(PowerMockRunner.class) @PowerMockIgnore({"com.sun.org.apache.xerces.*", "javax.xml.*", "org.xml.*", "org.w3c.*"}) @@ -89,7 +88,7 @@ public class SubscriptionServletTest extends DrServletTestBase { em = emf.createEntityManager(); System.setProperty( "org.onap.dmaap.datarouter.provserver.properties", - "src/test/resources/h2Database.properties"); + "src/test/resources/h2DatabaseTlsDisabled.properties"); } @AfterClass @@ -157,14 +156,6 @@ public class SubscriptionServletTest extends DrServletTestBase { } @Test - public void Given_Request_Is_HTTP_DELETE_And_AAF_CADI_Is_Enabled_Without_Permissions_Then_Forbidden_Response_Is_Generated() throws Exception { - when(request.getHeader("Content-Type")).thenReturn("application/vnd.dmaap-dr.subscription; version=1.0"); - when(request.getPathInfo()).thenReturn("/2"); - subscriptionServlet.doDelete(request, response); - verify(response).sendError(eq(HttpServletResponse.SC_FORBIDDEN), contains("AAF disallows access")); - } - - @Test public void Given_Request_Is_HTTP_DELETE_And_AAF_CADI_Is_Enabled_With_Permissions_Then_A_NO_CONTENT_Response_Is_Generated() throws Exception { when(request.getHeader("Content-Type")).thenReturn("application/vnd.dmaap-dr.subscription; version=1.0"); when(request.getPathInfo()).thenReturn("/2"); diff --git a/datarouter-prov/src/test/resources/h2Database.properties b/datarouter-prov/src/test/resources/h2Database.properties index 6957ae17..95968716 100755 --- a/datarouter-prov/src/test/resources/h2Database.properties +++ b/datarouter-prov/src/test/resources/h2Database.properties @@ -31,3 +31,6 @@ org.onap.dmaap.datarouter.provserver.accesslog.dir = unit-test-logs org.onap.dmaap.datarouter.provserver.spooldir = src/test/resources org.onap.dmaap.datarouter.provserver.dbscripts = src/test/resources org.onap.dmaap.datarouter.provserver.localhost = 127.0.0.1 +org.onap.dmaap.datarouter.provserver.tlsenabled = true +org.onap.dmaap.datarouter.nodeserver.https.port = 8443 +org.onap.dmaap.datarouter.nodeserver.http.port = 8080 diff --git a/datarouter-prov/src/test/resources/h2DatabaseTlsDisabled.properties b/datarouter-prov/src/test/resources/h2DatabaseTlsDisabled.properties new file mode 100644 index 00000000..05ab3a47 --- /dev/null +++ b/datarouter-prov/src/test/resources/h2DatabaseTlsDisabled.properties @@ -0,0 +1,36 @@ +#------------------------------------------------------------------------------- +# ============LICENSE_START================================================== +# * org.onap.dmaap +# * =========================================================================== +# * Copyright ? 2017 AT&T Intellectual Property. All rights reserved. +# * =========================================================================== +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# * ============LICENSE_END==================================================== +# * +# * ECOMP is a trademark and service mark of AT&T Intellectual Property. +# * +#------------------------------------------------------------------------------- + +# Database access +org.onap.dmaap.datarouter.db.driver = org.h2.Driver +org.onap.dmaap.datarouter.db.url = jdbc:h2:mem:test;DB_CLOSE_DELAY=-1 +org.onap.dmaap.datarouter.provserver.isaddressauthenabled = true +org.onap.dmaap.datarouter.provserver.cadi.enabled = true +org.onap.dmaap.datarouter.provserver.https.relaxation = false +org.onap.dmaap.datarouter.provserver.accesslog.dir = unit-test-logs +org.onap.dmaap.datarouter.provserver.spooldir = src/test/resources +org.onap.dmaap.datarouter.provserver.dbscripts = src/test/resources +org.onap.dmaap.datarouter.provserver.localhost = 127.0.0.1 +org.onap.dmaap.datarouter.provserver.tlsenabled = false +org.onap.dmaap.datarouter.nodeserver.https.port = 8443 +org.onap.dmaap.datarouter.nodeserver.http.port = 8080 |