From faf64da8b0307b6c0afa6637617f61c7c48bb8e2 Mon Sep 17 00:00:00 2001 From: efiacor Date: Mon, 19 Dec 2022 23:27:29 +0000 Subject: [DMAAP-DR-PROV] Remove aaf & cadi Signed-off-by: efiacor Change-Id: I610251e4b148620a6d44004efbe933e7acede26d Issue-ID: DMAAP-1573 --- .../authz/impl/AuthRespSupplementImpl.java | 71 --------- .../datarouter/authz/impl/ProvAuthorizer.java | 1 - .../dmaap/datarouter/provisioning/BaseServlet.java | 112 -------------- .../datarouter/provisioning/DRFeedsServlet.java | 59 +------- .../dmaap/datarouter/provisioning/FeedServlet.java | 65 --------- .../datarouter/provisioning/InternalServlet.java | 2 +- .../dmaap/datarouter/provisioning/ProvRunner.java | 23 ++- .../dmaap/datarouter/provisioning/ProvServer.java | 37 ++--- .../datarouter/provisioning/ProxyServlet.java | 33 +---- .../datarouter/provisioning/SubscribeServlet.java | 60 -------- .../provisioning/SubscriptionServlet.java | 63 -------- .../dmaap/datarouter/provisioning/beans/Feed.java | 20 +-- .../provisioning/beans/Subscription.java | 24 +-- .../provisioning/utils/AafPropsUtils.java | 83 ----------- .../datarouter/provisioning/utils/DRRouteCLI.java | 15 +- .../provisioning/utils/ProvTlsManager.java | 162 +++++++++++++++++++++ .../provisioning/utils/SynchronizerTask.java | 29 +--- .../provisioning/utils/URLUtilities.java | 3 +- 18 files changed, 203 insertions(+), 659 deletions(-) delete mode 100644 datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java delete mode 100644 datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/AafPropsUtils.java create mode 100644 datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/ProvTlsManager.java (limited to 'datarouter-prov/src/main/java/org/onap') diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java deleted file mode 100644 index b61c00e5..00000000 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/AuthRespSupplementImpl.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * ============LICENSE_START================================================== - * * org.onap.dmaap - * * =========================================================================== - * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * * =========================================================================== - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * ============LICENSE_END==================================================== - * * - * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * * - ******************************************************************************/ - - -package org.onap.dmaap.datarouter.authz.impl; - -import java.util.HashMap; -import java.util.Map; - -import org.onap.dmaap.datarouter.authz.AuthorizationResponseSupplement; - -/** Carries supplementary information--an advice or an obligation--from the authorization response returned - * by a XACML Policy Decision Point. Not used in Data Router R1. - * @author J. F. Lucas - * - */ -public class AuthRespSupplementImpl implements AuthorizationResponseSupplement { - - private String id; - private Map attributes; - - /** Constructor, available within the package. - * - * @param id The identifier for the advice or obligation element - * @param attributes The attributes (name-value pairs) for the advice or obligation element. - */ - AuthRespSupplementImpl(String id, Map attributes) { - this.id = id; - this.attributes = new HashMap<>(attributes); - } - - /** Return the identifier for the supplementary information element. - * - * @return a String containing the identifier. - */ - @Override - public String getId() { - return id; - } - - /** Return the attributes for the supplementary information element, as a Map in which - * keys represent attribute identifiers and values represent attribute values. - * - * @return attributes for the supplementary information element. - */ - @Override - public Map getAttributes() { - return attributes; - } - -} diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java index 48e31bfe..97cdc120 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/authz/impl/ProvAuthorizer.java @@ -106,7 +106,6 @@ public class ProvAuthorizer implements Authorizer { decision = allowSubAccess(resource, method, subject, subjectgroup); break; default: - decision = false; break; } } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java index 1942b148..c37c0a7d 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/BaseServlet.java @@ -85,23 +85,6 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { public static final String BEHALF_HEADER = "X-DMAAP-DR-ON-BEHALF-OF"; - public static final String EXCLUDE_AAF_HEADER = "X-EXCLUDE-AAF"; - - private static final String AAF_CADI_FEED_TYPE = "org.onap.dmaap.datarouter.provserver.aaf.feed.type"; - private static final String AAF_CADI_SUB_TYPE = "org.onap.dmaap.datarouter.provserver.aaf.sub.type"; - private static final String AAF_INSTANCE = "org.onap.dmaap.datarouter.provserver.aaf.instance"; - private static final String AAF_CADI_FEED = "org.onap.dmaap-dr.feed"; - private static final String AAF_CADI_SUB = "org.onap.dmaap-dr.sub"; - - static final String CREATE_PERMISSION = "create"; - static final String EDIT_PERMISSION = "edit"; - static final String DELETE_PERMISSION = "delete"; - private static final String PUBLISH_PERMISSION = "publish"; - private static final String SUSPEND_PERMISSION = "suspend"; - private static final String RESTORE_PERMISSION = "restore"; - private static final String SUBSCRIBE_PERMISSION = "subscribe"; - static final String APPROVE_SUB_PERMISSION = "approveSub"; - static final String FEED_BASECONTENT_TYPE = "application/vnd.dmaap-dr.feed"; public static final String FEED_CONTENT_TYPE = "application/vnd.dmaap-dr.feed; version=2.0"; public static final String FEEDFULL_CONTENT_TYPE = "application/vnd.dmaap-dr.feed-full; version=2.0"; @@ -261,9 +244,6 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { private static String isAddressAuthEnabled = ProvRunner.getProvProperties() .getProperty("org.onap.dmaap.datarouter.provserver.isaddressauthenabled", "false"); - static String isCadiEnabled = ProvRunner.getProvProperties() - .getProperty("org.onap.dmaap.datarouter.provserver.cadi.enabled", "false"); - /** * Initialize data common to all the provisioning server servlets. */ @@ -959,96 +939,4 @@ public class BaseServlet extends HttpServlet implements ProvDataProvider { } } - - /* - * AAF changes: TDP EPIC US# 307413 - * @Method - getFeedPermission - Forming permission string for feed part to check AAF access in CADI Framework - * @Params - aafInstance Passing aafInstance as it's used in permission string - * @Params - userAction Passing CONST values to set different actions in permission string - */ - String getFeedPermission(String aafInstance, String userAction) { - try { - Properties props = ProvRunner.getProvProperties(); - String type = props.getProperty(AAF_CADI_FEED_TYPE, AAF_CADI_FEED); - String action; - switch (userAction) { - case CREATE_PERMISSION: - action = CREATE_PERMISSION; - break; - case EDIT_PERMISSION: - action = EDIT_PERMISSION; - break; - case DELETE_PERMISSION: - action = DELETE_PERMISSION; - break; - case PUBLISH_PERMISSION: - action = PUBLISH_PERMISSION; - break; - case SUSPEND_PERMISSION: - action = SUSPEND_PERMISSION; - break; - case RESTORE_PERMISSION: - action = RESTORE_PERMISSION; - break; - default: - action = "*"; - } - if (aafInstance == null || "".equals(aafInstance)) { - aafInstance = props.getProperty(AAF_INSTANCE, "org.onap.dmaap-dr.NoInstanceDefined"); - } - return type + "|" + aafInstance + "|" + action; - } catch (Exception e) { - intlogger.error("PROV7005 BaseServlet.getFeedPermission: " + e.getMessage(), e); - } - return null; - } - - /* - * AAF changes: TDP EPIC US# 307413 - * @Method - getSubscriberPermission - Forming permission string for subscription part to check - * AAF access in CADI Framework - * @Params - aafInstance Passing aafInstance as it's used in permission string - * @Params - userAction Passing CONST values to set different actions in permission string - */ - String getSubscriberPermission(String aafInstance, String userAction) { - try { - Properties props = ProvRunner.getProvProperties(); - String type = props.getProperty(AAF_CADI_SUB_TYPE, AAF_CADI_SUB); - String action; - switch (userAction) { - case SUBSCRIBE_PERMISSION: - action = SUBSCRIBE_PERMISSION; - type = props.getProperty(AAF_CADI_FEED_TYPE, AAF_CADI_FEED); - break; - case EDIT_PERMISSION: - action = EDIT_PERMISSION; - break; - case DELETE_PERMISSION: - action = DELETE_PERMISSION; - break; - case RESTORE_PERMISSION: - action = RESTORE_PERMISSION; - break; - case SUSPEND_PERMISSION: - action = SUSPEND_PERMISSION; - break; - case PUBLISH_PERMISSION: - action = PUBLISH_PERMISSION; - break; - case APPROVE_SUB_PERMISSION: - action = APPROVE_SUB_PERMISSION; - type = props.getProperty(AAF_CADI_FEED_TYPE, AAF_CADI_FEED); - break; - default: - action = "*"; - } - if (aafInstance == null || "".equals(aafInstance)) { - aafInstance = props.getProperty(AAF_INSTANCE, "org.onap.dmaap-dr.NoInstanceDefined"); - } - return type + "|" + aafInstance + "|" + action; - } catch (Exception e) { - intlogger.error("PROV7005 BaseServlet.getSubscriberPermission: " + e.getMessage(), e); - } - return null; - } } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java index a0df71ce..7266ee69 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java @@ -28,11 +28,11 @@ import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.send import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.InvalidObjectException; import java.util.List; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; import org.json.JSONObject; import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; @@ -289,61 +289,6 @@ public class DRFeedsServlet extends ProxyServlet { return; } - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - No legacy user check as all new users will be AAF users - */ - String aafInstance = feed.getAafInstance(); - if (Boolean.parseBoolean(isCadiEnabled)) { - if ((aafInstance == null || "".equals(aafInstance) || ("legacy".equalsIgnoreCase(aafInstance)) - && "true".equalsIgnoreCase(req.getHeader(EXCLUDE_AAF_HEADER)))) { - // Check with the Authorizer - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - if ("true".equalsIgnoreCase(req.getHeader(EXCLUDE_AAF_HEADER))) { - message = "DRFeedsServlet.doPost() -Invalid request exclude_AAF should not be true if passing " - + "AAF_Instance value= " + aafInstance; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - String permission = getFeedPermission(aafInstance, BaseServlet.CREATE_PERMISSION); - eventlogger.info("DRFeedsServlet.doPost().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - } else { - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - /* - * END - AAF changes - */ - feed.setPublisher(bhdr); // set from X-DMAAP-DR-ON-BEHALF-OF header // Check if this feed already exists diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java index 5182cc23..475054d1 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java @@ -28,7 +28,6 @@ import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.send import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; -import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; @@ -108,37 +107,6 @@ public class FeedServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - check on permissions based on Legacy/AAF users to allow to delete/remove feed - */ - String aafInstance = feed.getAafInstance(); - if (aafInstance == null || "".equals(aafInstance) || "legacy".equalsIgnoreCase(aafInstance)) { - AuthorizationResponse aresp = authz.decide(req); - if (! aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - String permission = getFeedPermission(aafInstance, BaseServlet.DELETE_PERMISSION); - eventlogger.info("FeedServlet.doDelete().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - /* - * END - AAF changes - */ // Delete FEED table entry (set DELETED flag) feed.setDeleted(true); if (doUpdate(feed)) { @@ -352,39 +320,6 @@ public class FeedServlet extends ProxyServlet { return; } - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - check on permissions based on Legacy/AAF users to allow feed edit/update/modify - */ - String aafInstance = feed.getAafInstance(); - if (aafInstance == null || "".equals(aafInstance) || "legacy".equalsIgnoreCase(aafInstance)) { - // Check with the Authorizer - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - String permission = getFeedPermission(aafInstance, BaseServlet.EDIT_PERMISSION); - eventlogger.info("FeedServlet.doPut().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - /* - * END - AAF changes - */ - // Update FEEDS table entries if (doUpdate(feed)) { // send response diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java index 06959eef..0fb879e9 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java @@ -162,7 +162,7 @@ public class InternalServlet extends ProxyServlet { private static final Object lock = new Object(); private static Integer logseq = 0; // another piece of info to make log spool file names unique //Adding EELF Logger Rally:US664892 - private static EELFLogger eelfLogger = EELFManager.getInstance() + private static final EELFLogger eelfLogger = EELFManager.getInstance() .getLogger(InternalServlet.class); /** diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvRunner.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvRunner.java index 747530ab..4777be8c 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvRunner.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvRunner.java @@ -29,16 +29,15 @@ import static java.lang.System.getProperty; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; -import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.util.Properties; import java.util.Timer; import org.eclipse.jetty.server.Server; -import org.onap.dmaap.datarouter.provisioning.utils.AafPropsUtils; import org.onap.dmaap.datarouter.provisioning.utils.LogfileLoader; import org.onap.dmaap.datarouter.provisioning.utils.Poker; import org.onap.dmaap.datarouter.provisioning.utils.ProvDbUtils; +import org.onap.dmaap.datarouter.provisioning.utils.ProvTlsManager; import org.onap.dmaap.datarouter.provisioning.utils.PurgeLogDirTask; import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask; @@ -76,7 +75,7 @@ public class ProvRunner { public static final EELFLogger intlogger = EELFManager.getInstance().getLogger("org.onap.dmaap.datarouter.provisioning.internal"); private static Server provServer; - private static AafPropsUtils aafPropsUtils; + private static ProvTlsManager provTlsManager; private static Properties provProperties; private static Boolean tlsEnabled; @@ -92,13 +91,11 @@ public class ProvRunner { exit(1); } if (Boolean.TRUE.equals(getTlsEnabled())) { - // Set up AAF properties + // Set up TLS Manager try { - aafPropsUtils = new AafPropsUtils(new File(getProvProperties().getProperty( - "org.onap.dmaap.datarouter.provserver.aafprops.path", - "/opt/app/osaaf/local/org.onap.dmaap-dr.props"))); - } catch (IOException e) { - intlogger.error("NODE0314 Failed to load AAF props. Exiting", e); + provTlsManager = new ProvTlsManager(ProvRunner.getProvProperties(), true); + } catch (Exception e) { + intlogger.error("NODE0314 Failed to load TLS config. Exiting", e); exit(1); } } @@ -153,10 +150,6 @@ public class ProvRunner { return provProperties; } - public static AafPropsUtils getAafPropsUtils() { - return aafPropsUtils; - } - public static Boolean getTlsEnabled() { if (tlsEnabled == null) { tlsEnabled = Boolean.parseBoolean(getProvProperties() @@ -164,4 +157,8 @@ public class ProvRunner { } return tlsEnabled; } + + public static ProvTlsManager getProvTlsManager() { + return provTlsManager; + } } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvServer.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvServer.java index 9eb91178..102d4a24 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvServer.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProvServer.java @@ -42,7 +42,6 @@ import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.jetbrains.annotations.NotNull; -import org.onap.dmaap.datarouter.provisioning.utils.AafPropsUtils; public class ProvServer { @@ -106,14 +105,16 @@ public class ProvServer { httpsConfiguration.setRequestHeaderSize(8192); // HTTPS connector try (ServerConnector httpsServerConnector = new ServerConnector(server, - new SslConnectionFactory(getSslContextFactory(provProps), HttpVersion.HTTP_1_1.asString()), + new SslConnectionFactory(getSslContextFactory(), HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfiguration))) { httpsServerConnector.setPort(httpsPort); httpsServerConnector.setIdleTimeout(30000); httpsServerConnector.setAcceptQueueSize(2); + intlogger.info("ProvServer: TLS enabled. Setting up both HTTP/S connectors."); server.setConnectors(new Connector[]{httpServerConnector, httpsServerConnector}); } } else { + intlogger.info("ProvServer: TLS disabled. Setting up HTTP connector only."); server.setConnectors(new Connector[]{httpServerConnector}); } server.setHandler(handlerCollection); @@ -132,18 +133,9 @@ public class ProvServer { } @NotNull - private static SslContextFactory.Server getSslContextFactory(Properties provProps) { - SslContextFactory sslContextFactory = new SslContextFactory.Server(); - sslContextFactory.setKeyStoreType(AafPropsUtils.KEYSTORE_TYPE_PROPERTY); - sslContextFactory.setKeyStorePath(ProvRunner.getAafPropsUtils().getKeystorePathProperty()); - sslContextFactory.setKeyStorePassword(ProvRunner.getAafPropsUtils().getKeystorePassProperty()); - sslContextFactory.setKeyManagerPassword(ProvRunner.getAafPropsUtils().getKeystorePassProperty()); - - sslContextFactory.setTrustStoreType(AafPropsUtils.TRUESTSTORE_TYPE_PROPERTY); - sslContextFactory.setTrustStorePath(ProvRunner.getAafPropsUtils().getTruststorePathProperty()); - sslContextFactory.setTrustStorePassword(ProvRunner.getAafPropsUtils().getTruststorePassProperty()); - - sslContextFactory.setExcludeCipherSuites( + private static SslContextFactory.Server getSslContextFactory() { + SslContextFactory.Server sslContextFactoryServer = ProvRunner.getProvTlsManager().getSslContextFactoryServer(); + sslContextFactoryServer.setExcludeCipherSuites( "SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA", @@ -152,17 +144,12 @@ public class ProvServer { "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" ); - sslContextFactory.addExcludeProtocols("SSLv3"); - sslContextFactory.setIncludeProtocols(provProps.getProperty( - "org.onap.dmaap.datarouter.provserver.https.include.protocols", - "TLSv1.1|TLSv1.2").trim().split("\\|")); - - intlogger.info("Unsupported protocols: " + String.join(",", sslContextFactory.getExcludeProtocols())); - intlogger.info("Supported protocols: " + String.join(",", sslContextFactory.getIncludeProtocols())); - intlogger.info("Unsupported ciphers: " + String.join(",", sslContextFactory.getExcludeCipherSuites())); - intlogger.info("Supported ciphers: " + String.join(",", sslContextFactory.getIncludeCipherSuites())); - - return (SslContextFactory.Server) sslContextFactory; + sslContextFactoryServer.addExcludeProtocols("SSLv3"); + intlogger.info("Unsupported protocols: " + String.join(",", sslContextFactoryServer.getExcludeProtocols())); + intlogger.info("Supported protocols: " + String.join(",", sslContextFactoryServer.getIncludeProtocols())); + intlogger.info("Unsupported ciphers: " + String.join(",", sslContextFactoryServer.getExcludeCipherSuites())); + intlogger.info("Supported ciphers: " + String.join(",", sslContextFactoryServer.getIncludeCipherSuites())); + return sslContextFactoryServer; } @NotNull diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProxyServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProxyServlet.java index 49be5aa0..86b583a5 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProxyServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/ProxyServlet.java @@ -30,14 +30,9 @@ import jakarta.servlet.ServletConfig; import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.URI; -import java.security.KeyStore; -import java.security.KeyStoreException; import java.util.Collections; import java.util.List; import org.apache.commons.io.IOUtils; @@ -53,7 +48,6 @@ import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.entity.BasicHttpEntity; import org.apache.http.impl.client.AbstractHttpClient; import org.apache.http.impl.client.DefaultHttpClient; -import org.onap.dmaap.datarouter.provisioning.utils.AafPropsUtils; import org.onap.dmaap.datarouter.provisioning.utils.SynchronizerTask; import org.onap.dmaap.datarouter.provisioning.utils.URLUtilities; @@ -81,20 +75,7 @@ public class ProxyServlet extends BaseServlet { super.init(config); try { if (Boolean.TRUE.equals(ProvRunner.getTlsEnabled())) { - // Set up keystore - String type = AafPropsUtils.KEYSTORE_TYPE_PROPERTY; - String store = ProvRunner.getAafPropsUtils().getKeystorePathProperty(); - String pass = ProvRunner.getAafPropsUtils().getKeystorePassProperty(); - KeyStore keyStore = readStore(store, pass, type); - // Set up truststore - store = ProvRunner.getAafPropsUtils().getTruststorePathProperty(); - pass = ProvRunner.getAafPropsUtils().getTruststorePassProperty(); - KeyStore trustStore = readStore(store, pass, AafPropsUtils.TRUESTSTORE_TYPE_PROPERTY); - - // We are connecting with the node name, but the certificate will have the CNAME - // So we need to accept a non-matching certificate name - SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, - ProvRunner.getAafPropsUtils().getKeystorePassProperty(), trustStore); + SSLSocketFactory socketFactory = ProvRunner.getProvTlsManager().getSslSocketFactory(); socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); sch = new Scheme("https", 443, socketFactory); } else { @@ -108,18 +89,6 @@ public class ProxyServlet extends BaseServlet { intlogger.info("ProxyServlet: inited = " + inited); } - private KeyStore readStore(String store, String pass, String type) throws KeyStoreException { - KeyStore ks = KeyStore.getInstance(type); - try (FileInputStream instream = new FileInputStream(new File(store))) { - ks.load(instream, pass.toCharArray()); - } catch (FileNotFoundException fileNotFoundException) { - intlogger.error("ProxyServlet.readStore: " + fileNotFoundException.getMessage(), fileNotFoundException); - } catch (Exception x) { - intlogger.error("READING TRUSTSTORE: " + x); - } - return ks; - } - /** * Return true if the requester has NOT set the noproxy CGI variable. If they have, this indicates * they want to forcibly turn the proxy off. diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java index 2ee58d6e..6faecff5 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java @@ -263,66 +263,6 @@ public class SubscribeServlet extends ProxyServlet { } sub.setFeedid(feedid); sub.setSubscriber(bhdr); // set from X-DMAAP-DR-ON-BEHALF-OF header - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - check on permissions based on Legacy/AAF users to allow to create/add subscription - */ - String feedAafInstance = feed.getAafInstance(); - String subAafInstance = sub.getAafInstance(); - boolean subAafLegacyEmptyOrNull = (subAafInstance == null - || "".equals(subAafInstance) || "legacy".equalsIgnoreCase(subAafInstance)); - - // This extra check added to verify AAF feed with AAF subscriber having empty aaf instance check - if (feedAafInstance == null || "".equals(feedAafInstance) || "legacy".equalsIgnoreCase(feedAafInstance)) { - if (subAafLegacyEmptyOrNull) { - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - //If Legacy Feed and AAF instance provided in Subscriber JSON - message = "AAF Subscriber can not be added to legacy Feed- " + feedid; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - //New AAF Requirement to add legacy subscriber to AAF Feed - if (subAafLegacyEmptyOrNull) { - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - //New AAF Requirement to add subscriber by publisher on publisher approval only - String permission = getSubscriberPermission(subAafInstance, BaseServlet.APPROVE_SUB_PERMISSION); - eventlogger.info("SubscribeServlet.doPost().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - } - /* - * END - AAF changes - */ // Check if this subscription already exists; not an error (yet), just warn Subscription sub2 = Subscription.getSubscriptionMatching(sub); if (sub2 != null) { diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java index 1851d03a..f4f3c9b0 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java @@ -111,37 +111,6 @@ public class SubscriptionServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - check on permissions based on Legacy/AAF users to allow to delete/remove subscription - */ - String aafInstance = sub.getAafInstance(); - if (aafInstance == null || "".equals(aafInstance) || "legacy".equalsIgnoreCase(aafInstance)) { - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - String permission = getSubscriberPermission(aafInstance, BaseServlet.DELETE_PERMISSION); - eventlogger.info("SubscriptionServlet.doDelete().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - /* - * END - AAF changes - */ // Delete Subscription if (doDelete(sub)) { activeSubs--; @@ -321,38 +290,6 @@ public class SubscriptionServlet extends ProxyServlet { sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } - - /* - * START - AAF changes - * TDP EPIC US# 307413 - * CADI code - check on permissions based on Legacy/AAF users to allow to delete/remove subscription - */ - String aafInstance = sub.getAafInstance(); - if (aafInstance == null || "".equals(aafInstance) || "legacy".equalsIgnoreCase(aafInstance)) { - AuthorizationResponse aresp = authz.decide(req); - if (!aresp.isAuthorized()) { - message = POLICY_ENGINE; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } else { - String permission = getSubscriberPermission(aafInstance, BaseServlet.EDIT_PERMISSION); - eventlogger.info("SubscriptionServlet.doDelete().. Permission String - " + permission); - if (!req.isUserInRole(permission)) { - message = "AAF disallows access to permission - " + permission; - elr.setMessage(message); - elr.setResult(HttpServletResponse.SC_FORBIDDEN); - eventlogger.error(elr.toString()); - sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); - return; - } - } - /* - * END - AAF changes - */ sub.setSubid(oldsub.getSubid()); sub.setFeedid(oldsub.getFeedid()); sub.setSubscriber(bhdr); // set from X-DMAAP-DR-ON-BEHALF-OF header diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java index c6344301..af6b3575 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Feed.java @@ -77,7 +77,6 @@ public class Feed extends Syncable { private boolean suspended; private Date lastMod; private Date createdDate; - private String aafInstance; public Feed() { this("", "", "", ""); @@ -104,7 +103,6 @@ public class Feed extends Syncable { this.suspended = false; this.lastMod = new Date(); this.createdDate = new Date(); - this.aafInstance = ""; } /** @@ -133,7 +131,6 @@ public class Feed extends Syncable { this.suspended = rs.getBoolean("SUSPENDED"); this.lastMod = rs.getDate("LAST_MOD"); this.createdDate = rs.getTimestamp("CREATED_DATE"); - this.aafInstance = rs.getString("AAF_INSTANCE"); } /** @@ -148,10 +145,6 @@ public class Feed extends Syncable { this.feedid = jo.optInt(FEED_ID, -1); this.groupid = jo.optInt("groupid"); this.name = jo.getString("name"); - this.aafInstance = jo.optString("aaf_instance", "legacy"); - if (!("legacy".equalsIgnoreCase(aafInstance)) && aafInstance.length() > 255) { - throw new InvalidObjectException("aaf_instance field is too long"); - } if (name.length() > 255) { throw new InvalidObjectException("name field is too long"); } @@ -440,10 +433,6 @@ public class Feed extends Syncable { fl.setLog(URLUtilities.generateFeedLogURL(feedid)); } - public String getAafInstance() { - return aafInstance; - } - //new getter setters for groups- Rally:US708115 - 1610 public int getGroupid() { return groupid; @@ -553,7 +542,6 @@ public class Feed extends Syncable { jo.put("suspend", suspended); jo.put(LAST_MOD, lastMod.getTime()); jo.put(CREATED_DATE, createdDate.getTime()); - jo.put("aaf_instance", aafInstance); return jo; } @@ -634,8 +622,8 @@ public class Feed extends Syncable { try (PreparedStatement ps = conn.prepareStatement( "insert into FEEDS (FEEDID, NAME, VERSION, DESCRIPTION, AUTH_CLASS, PUBLISHER, SELF_LINK, " + "PUBLISH_LINK, SUBSCRIBE_LINK, LOG_LINK, DELETED, SUSPENDED," - + "BUSINESS_DESCRIPTION, GROUPID, AAF_INSTANCE) " - + "values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) { + + "BUSINESS_DESCRIPTION, GROUPID) " + + "values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) { ps.setInt(1, feedid); ps.setString(2, getName()); ps.setString(3, getVersion()); @@ -650,7 +638,6 @@ public class Feed extends Syncable { ps.setBoolean(12, isSuspended()); ps.setString(13, getBusinessDescription()); ps.setInt(14, groupid); - ps.setString(15, getAafInstance()); ps.executeUpdate(); } } catch (SQLException e) { @@ -799,9 +786,6 @@ public class Feed extends Syncable { if (suspended != of.suspended) { return false; } - if (!aafInstance.equals(of.aafInstance)) { - return false; - } return true; } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Subscription.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Subscription.java index 5741881c..6928addf 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Subscription.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/beans/Subscription.java @@ -72,7 +72,6 @@ public class Subscription extends Syncable { private Date lastMod; private Date createdDate; private boolean privilegedSubscriber; - private String aafInstance; private boolean decompress; public Subscription() { @@ -98,7 +97,6 @@ public class Subscription extends Syncable { this.lastMod = new Date(); this.createdDate = new Date(); this.privilegedSubscriber = false; - this.aafInstance = ""; this.decompress = false; } @@ -121,7 +119,6 @@ public class Subscription extends Syncable { this.lastMod = rs.getDate("LAST_MOD"); this.createdDate = rs.getDate("CREATED_DATE"); this.privilegedSubscriber = rs.getBoolean("PRIVILEGED_SUBSCRIBER"); - this.aafInstance = rs.getString("AAF_INSTANCE"); this.decompress = rs.getBoolean("DECOMPRESS"); } @@ -137,10 +134,6 @@ public class Subscription extends Syncable { this.subid = jo.optInt(SUBID_KEY, -1); this.feedid = jo.optInt(FEEDID_KEY, -1); this.groupid = jo.optInt(GROUPID_KEY, -1); //New field is added - Groups feature Rally:US708115 - 1610 - this.aafInstance = jo.optString("aaf_instance", "legacy"); - if (!(aafInstance.equalsIgnoreCase("legacy")) && aafInstance.length() > 255) { - throw new InvalidObjectException("aaf_instance field is too long"); - } JSONObject jdeli = jo.getJSONObject("delivery"); String url = jdeli.getString("url"); String user = jdeli.getString("user"); @@ -334,14 +327,6 @@ public class Subscription extends Syncable { sl.setFeed(URLUtilities.generateFeedURL(feedid)); } - public String getAafInstance() { - return aafInstance; - } - - public void setAafInstance(String aafInstance) { - this.aafInstance = aafInstance; - } - //New getter setters for Groups feature Rally:US708115 - 1610 public int getGroupid() { return groupid; @@ -439,7 +424,6 @@ public class Subscription extends Syncable { jo.put(LAST_MOD_KEY, lastMod.getTime()); jo.put(CREATED_DATE, createdDate.getTime()); jo.put("privilegedSubscriber", privilegedSubscriber); - jo.put("aaf_instance", aafInstance); jo.put("decompress", decompress); return jo; } @@ -490,8 +474,8 @@ public class Subscription extends Syncable { // Create the SUBSCRIPTIONS row String sql = "insert into SUBSCRIPTIONS (SUBID, FEEDID, DELIVERY_URL, DELIVERY_USER, DELIVERY_PASSWORD, " + "DELIVERY_USE100, METADATA_ONLY, SUBSCRIBER, SUSPENDED, GROUPID, " - + "PRIVILEGED_SUBSCRIBER, FOLLOW_REDIRECTS, DECOMPRESS, AAF_INSTANCE) " - + "values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; + + "PRIVILEGED_SUBSCRIBER, FOLLOW_REDIRECTS, DECOMPRESS) " + + "values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; ps = conn.prepareStatement(sql, new String[]{SUBID_COL}); ps.setInt(1, subid); ps.setInt(2, feedid); @@ -506,7 +490,6 @@ public class Subscription extends Syncable { ps.setBoolean(11, isPrivilegedSubscriber()); ps.setInt(12, isFollowRedirect() ? 1 : 0); ps.setBoolean(13, isDecompress()); - ps.setString(14, getAafInstance()); ps.execute(); ps.close(); // Update the row to set the URLs @@ -630,9 +613,6 @@ public class Subscription extends Syncable { if (suspended != os.suspended) { return false; } - if (!aafInstance.equals(os.aafInstance)) { - return false; - } return true; } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/AafPropsUtils.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/AafPropsUtils.java deleted file mode 100644 index 57bc84bd..00000000 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/AafPropsUtils.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * Copyright (C) 2019 Nordix Foundation. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - * ============LICENSE_END========================================================= - */ - -package org.onap.dmaap.datarouter.provisioning.utils; - -import com.att.eelf.configuration.EELFLogger; -import com.att.eelf.configuration.EELFManager; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import org.onap.aaf.cadi.PropAccess; - -public class AafPropsUtils { - - private static final EELFLogger eelfLogger = EELFManager.getInstance().getLogger(AafPropsUtils.class); - - public static final String KEYSTORE_TYPE_PROPERTY = "PKCS12"; - public static final String TRUESTSTORE_TYPE_PROPERTY = "jks"; - private static final String KEYSTORE_PATH_PROPERTY = "cadi_keystore"; - private static final String KEYSTORE_PASS_PROPERTY = "cadi_keystore_password_p12"; - private static final String TRUSTSTORE_PATH_PROPERTY = "cadi_truststore"; - private static final String TRUSTSTORE_PASS_PROPERTY = "cadi_truststore_password"; - - private final PropAccess propAccess; - - public AafPropsUtils(File propsFile) throws IOException { - propAccess = new PropAccess(); - try { - propAccess.load(new FileInputStream(propsFile)); - } catch (IOException e) { - eelfLogger.error("Failed to load props file: " + propsFile + "\n" + e.getMessage(), e); - throw e; - } - } - - private String decryptedPass(String password) { - String decryptedPass = null; - try { - decryptedPass = propAccess.decrypt(password, false); - } catch (IOException e) { - eelfLogger.error("Failed to decrypt " + password + " : " + e.getMessage(), e); - } - return decryptedPass; - } - - public PropAccess getPropAccess() { - return propAccess; - } - - public String getKeystorePathProperty() { - return propAccess.getProperty(KEYSTORE_PATH_PROPERTY); - } - - public String getKeystorePassProperty() { - return decryptedPass(propAccess.getProperty(KEYSTORE_PASS_PROPERTY)); - } - - public String getTruststorePathProperty() { - return propAccess.getProperty(TRUSTSTORE_PATH_PROPERTY); - } - - public String getTruststorePassProperty() { - return decryptedPass(propAccess.getProperty(TRUSTSTORE_PASS_PROPERTY)); - } - -} diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/DRRouteCLI.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/DRRouteCLI.java index c614c0ba..a0ece41a 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/DRRouteCLI.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/DRRouteCLI.java @@ -108,6 +108,7 @@ public class DRRouteCLI { private int width = 120; // screen width (for list) private AbstractHttpClient httpclient; + @SuppressWarnings("deprecation") /** * Create a DRRouteCLI object connecting to the specified server. * @@ -117,20 +118,18 @@ public class DRRouteCLI { public DRRouteCLI(String server) throws Exception { this.server = server; this.httpclient = new DefaultHttpClient(); - AafPropsUtils aafPropsUtils = null; + ProvTlsManager provTlsManager = null; Properties provProperties = ProvRunner.getProvProperties(); try { - aafPropsUtils = new AafPropsUtils(new File(provProperties.getProperty( - "org.onap.dmaap.datarouter.provserver.aafprops.path", - "/opt/app/osaaf/local/org.onap.dmaap-dr.props"))); - } catch (IOException e) { - intlogger.error("NODE0314 Failed to load AAF props. Exiting", e); + provTlsManager = new ProvTlsManager(provProperties, false); + } catch (Exception e) { + intlogger.error("NODE0314 Failed to load TLS config. Exiting", e); exit(1); } - String truststoreFile = aafPropsUtils.getTruststorePathProperty(); - String truststorePw = aafPropsUtils.getTruststorePassProperty(); + String truststoreFile = provTlsManager.getTrustStoreFile(); + String truststorePw = provTlsManager.getTrustStorePassword(); KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); if (truststoreFile == null || truststoreFile.equals("")) { diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/ProvTlsManager.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/ProvTlsManager.java new file mode 100644 index 00000000..4cf59066 --- /dev/null +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/ProvTlsManager.java @@ -0,0 +1,162 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2022 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.dmaap.datarouter.provisioning.utils; + +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.util.Properties; +import org.apache.http.conn.ssl.SSLSocketFactory; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +public class ProvTlsManager { + + private static final EELFLogger eelfLogger = EELFManager.getInstance().getLogger(ProvTlsManager.class); + + private final String keyStoreType; + private final String keyStorefile; + private final String keyStorePassword; + private final String keyManagerPassword; + private KeyStore keyStore; + + private final String trustStoreType; + private final String trustStoreFile; + private final String trustStorePassword; + private KeyStore trustStore; + + private final String[] enabledProtocols; + + /** + * Utility class to handle Provisioning server SSL configuration + * + * @param properties DR provisioning server properties + * @throws Exception for any unrecoverable problem + */ + public ProvTlsManager(Properties properties, boolean preLoadCerts) throws Exception { + + keyStoreType = properties.getProperty("org.onap.dmaap.datarouter.provserver.keystoretype", "PKCS12"); + keyStorefile = properties.getProperty("org.onap.dmaap.datarouter.provserver.keystorepath"); + keyStorePassword = properties.getProperty("org.onap.dmaap.datarouter.provserver.keystorepassword"); + keyManagerPassword = properties.getProperty("org.onap.dmaap.datarouter.provserver.keymanagerpassword"); + + trustStoreType = properties.getProperty("org.onap.dmaap.datarouter.provserver.truststoretype", "jks"); + trustStoreFile = properties.getProperty("org.onap.dmaap.datarouter.provserver.truststorepath"); + trustStorePassword = properties.getProperty("org.onap.dmaap.datarouter.provserver.truststorepassword"); + + if (preLoadCerts) { + eelfLogger.debug("ProvTlsManager: Attempting to pre load certificate data from config."); + setUpKeyStore(); + setUpTrustStore(); + } + + enabledProtocols = properties.getProperty( + "org.onap.dmaap.datarouter.provserver.https.include.protocols", + "TLSv1.1|TLSv1.2").trim().split("\\|"); + } + + /** + * Gets an SSLSocketFactory instance constructed using the relevant SSL properties + * + * @return SSLSocketFactory + * @throws KeyStoreException if SSL config is invalid + */ + public SSLSocketFactory getSslSocketFactory() + throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException { + eelfLogger.debug("ProvTlsManager.getSslSocketFactory: Setting up SSLSocketFactory"); + if (this.trustStoreFile == null) { + eelfLogger.warn("Warning: No trust store available."); + return new SSLSocketFactory(this.keyStore, this.keyStorePassword); + } + return new SSLSocketFactory(this.keyStore, this.keyStorePassword, this.trustStore); + } + + /** + * Gets an SslContextFactory.Server instance constructed using the relevant SSL properties + * + * @return SslContextFactory.Server + */ + public SslContextFactory.Server getSslContextFactoryServer() { + eelfLogger.debug("ProvTlsManager.getSslContextFactoryServer: Setting up getSslContextFactoryServer"); + SslContextFactory.Server sslContextFactoryServer = new SslContextFactory.Server(); + sslContextFactoryServer.setKeyStoreType(this.keyStoreType); + sslContextFactoryServer.setKeyStorePath(this.keyStorefile); + sslContextFactoryServer.setKeyStorePassword(this.keyStorePassword); + sslContextFactoryServer.setKeyManagerPassword(this.keyManagerPassword); + if (this.trustStoreFile != null) { + sslContextFactoryServer.setTrustStoreType(this.trustStoreType); + sslContextFactoryServer.setTrustStorePath(this.trustStoreFile); + sslContextFactoryServer.setTrustStorePassword(this.trustStorePassword); + } + sslContextFactoryServer.setIncludeProtocols(this.enabledProtocols); + return sslContextFactoryServer; + } + + /** + * Get the trust store file path from dr config + * + * @return String + */ + public String getTrustStoreFile() { + return trustStoreFile; + } + + /** + * Get the trust store password from dr config + * + * @return String + */ + public String getTrustStorePassword() { + return trustStorePassword; + } + + private void setUpKeyStore() + throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException { + eelfLogger.debug("ProvTlsManager.setUpKeyStore: Attempting to load keyStore {}", keyStorefile); + keyStore = readKeyStore(keyStorefile, keyStorePassword, keyStoreType); + } + + private void setUpTrustStore() + throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException { + if (trustStoreFile != null && trustStorePassword != null) { + eelfLogger.debug("ProvTlsManager.setUpTrustStore: Attempting to load trustStore {}", trustStoreFile); + trustStore = readKeyStore(trustStoreFile, trustStorePassword, trustStoreType); + } else { + eelfLogger.warn("No truststore provided from properties. Skipping."); + } + } + + private KeyStore readKeyStore(String keyStore, String pass, String type) + throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException { + eelfLogger.debug("ProvTlsManager.readKeyStore: Verifying load of keystore {}", keyStore); + KeyStore ks = KeyStore.getInstance(type); + try (FileInputStream stream = new FileInputStream(keyStore)) { + ks.load(stream, pass.toCharArray()); + } + return ks; + } +} \ No newline at end of file diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/SynchronizerTask.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/SynchronizerTask.java index ef282618..86c178a3 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/SynchronizerTask.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/SynchronizerTask.java @@ -140,33 +140,7 @@ public class SynchronizerTask extends TimerTask { try (AbstractHttpClient hc = new DefaultHttpClient()) { Scheme sch; if (Boolean.TRUE.equals(ProvRunner.getTlsEnabled())) { - // Set up keystore - String type = AafPropsUtils.KEYSTORE_TYPE_PROPERTY; - String store = ProvRunner.getAafPropsUtils().getKeystorePathProperty(); - String pass = ProvRunner.getAafPropsUtils().getKeystorePassProperty(); - KeyStore keyStore = KeyStore.getInstance(type); - try (FileInputStream instream = new FileInputStream(store)) { - keyStore.load(instream, pass.toCharArray()); - - } - // Set up truststore - store = ProvRunner.getAafPropsUtils().getTruststorePathProperty(); - pass = ProvRunner.getAafPropsUtils().getTruststorePassProperty(); - KeyStore trustStore = null; - if (store != null && store.length() > 0) { - trustStore = KeyStore.getInstance(AafPropsUtils.TRUESTSTORE_TYPE_PROPERTY); - try (FileInputStream instream = new FileInputStream(store)) { - trustStore.load(instream, pass.toCharArray()); - - } - } - // We are connecting with the node name, but the certificate will have the CNAME - // So we need to accept a non-matching certificate name - String keystorepass = ProvRunner.getAafPropsUtils().getKeystorePassProperty(); - SSLSocketFactory socketFactory = - (trustStore == null) - ? new SSLSocketFactory(keyStore, keystorepass) - : new SSLSocketFactory(keyStore, keystorepass, trustStore); + SSLSocketFactory socketFactory = ProvRunner.getProvTlsManager().getSslSocketFactory(); socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); sch = new Scheme("https", 443, socketFactory); } else { @@ -180,6 +154,7 @@ public class SynchronizerTask extends TimerTask { } catch (Exception e) { logger.warn("PROV5005: Problem starting the synchronizer: " + e); } + logger.info("PROV5000: SynchronizerTask started"); } private void setSynchTimer(String strInterval) { diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java index 89403488..a5eb4590 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/URLUtilities.java @@ -161,7 +161,8 @@ public class URLUtilities { private static String getAppropriateUrlPort() { if (Boolean.TRUE.equals(ProvRunner.getTlsEnabled())) { - return ""; + return ":" + ProvRunner.getProvProperties() + .getProperty("org.onap.dmaap.datarouter.provserver.https.port", "8443"); } return ":" + ProvRunner.getProvProperties() .getProperty("org.onap.dmaap.datarouter.provserver.http.port", "8080"); -- cgit 1.2.3-korg