Use dynamic certificates

New property indicates to use cadi properties file. Use Cadi library to access the properties, esp the pwd Issue-ID: DMAAP-1401 Signed-off-by: dglFromAtt <dgl@research.att.com> Change-Id: I1dcb236341a9795aa6bc0b5da71f046f5e0afa30 Signed-off-by: dglFromAtt <dgl@research.att.com>
author: dglFromAtt <dgl@research.att.com> 2020-03-06 13:49:02 -0500
committer: dglFromAtt <dgl@research.att.com> 2020-03-06 13:49:47 -0500
commit: fdaafe26bd0dba6fa825e22f16b9819ca2771bec (patch)
tree: 2d06e06c7b931d647982a98f5440a59ac9e9d883
parent: 0c5fb02166b500ff6751265811030d23acfc5b5e (diff)
8 files changed, 292 insertions, 27 deletions
diff --git a/pom.xml b/pom.xml
index 6a149d1..7328dbb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -420,7 +420,7 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<jettyVersion>9.4.24.v20191120</jettyVersion>
 		<eelf.version>1.0.0</eelf.version>
-		<artifact.version>2.0.1-SNAPSHOT</artifact.version>
+		<artifact.version>2.0.2-SNAPSHOT</artifact.version>
 		<junit.version>4.12</junit.version>
 		<!-- SONAR -->
 		<jacoco.version>0.7.7.201606060606</jacoco.version>
diff --git a/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java b/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java
index 688bbce..9c3fa4e 100644
--- a/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java
+++ b/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java
@@ -76,15 +76,24 @@ public class MrProvConnection extends BaseLoggingClass{
     
     
     public boolean makeTopicConnection( MR_Cluster cluster ) {
-        logger.info( "connect to cluster: " + cluster.getDcaeLocationName());
-    
+        boolean rc = false;
+    	logger.info( "connect to cluster: " + cluster.getDcaeLocationName());
+        
 
         provURL = cluster.getTopicProtocol() + "://" + cluster.getFqdn() + ":" + cluster.getTopicPort() + "/topics/create";
 
         if ( cluster.getTopicProtocol().equals( "https" ) ) {
-            return makeSecureConnection( provURL );
+            rc = makeSecureConnection( provURL );
+        } else {
+        	rc = makeConnection( provURL );
         }
-        return makeConnection( provURL );
+      	if ( rc  && unit_test.equals( "Yes" ) ) {
+      		// set timeouts low so we don't hold up unit tests in build process
+            uc.setReadTimeout(5);
+            uc.setConnectTimeout(5);   		
+      	}
+      	return rc;
+        
     }
 
     private boolean makeSecureConnection( String pURL ) {
diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java
new file mode 100644
index 0000000..1da2bc4
--- /dev/null
+++ b/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java
@@ -0,0 +1,61 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.dmaap.dbcapi.server;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.Properties;
+
+import org.onap.aaf.cadi.PropAccess;
+
+public class CadiCertificateManager extends CertificateManager {
+	private PropAccess propAccess;	
+	
+	CadiCertificateManager( Properties properties )  {
+		String cadiPropsFile = properties.getProperty("cadi.properties", "etc/org.onap.dmaa-bc.props");
+		logger.info( "using cadi properties in ", cadiPropsFile);
+		
+		propAccess = new PropAccess();
+		ready = true;
+		try {
+			propAccess.load( new FileInputStream( cadiPropsFile ));
+		} catch ( IOException e ) {
+			logger.error( "Failed to load props file: " + cadiPropsFile + "\n" +  e.getMessage());
+			ready = false;
+		}
+		setKeyStoreType( "jks");
+		setKeyStoreFile( propAccess.getProperty("cadi_keystore") );
+		setKeyStorePassword( decryptPass( propAccess.getProperty("cadi_keystore_password_jks" ) ));
+
+		setTrustStoreType( "jks");
+		setTrustStoreFile( propAccess.getProperty("cadi_truststore" ) );
+		setTrustStorePassword( decryptPass( propAccess.getProperty("cadi_truststore_password" ) ));
+	}
+
+	private String decryptPass( String password ) {
+		String clear = null;
+		try {
+			clear = propAccess.decrypt(password, false );
+		} catch (IOException e) {
+			logger.error( "Failed to decrypt " + password + ": " + e.getMessage() );
+		}
+		return clear;
+	}
+}
diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java b/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java
new file mode 100644
index 0000000..55aa0c1
--- /dev/null
+++ b/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java
@@ -0,0 +1,51 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.server;
+
+
+import java.util.Properties;
+
+import org.onap.dmaap.dbcapi.logging.BaseLoggingClass;
+import org.onap.dmaap.dbcapi.util.DmaapConfig;
+
+public class CertficateManagerFactory extends BaseLoggingClass {
+	private final Properties dmaapConfig;
+
+    public CertficateManagerFactory() {
+        this((DmaapConfig) DmaapConfig.getConfig());
+    }
+
+    CertficateManagerFactory(Properties params) {
+        this.dmaapConfig = params;
+    }
+
+    public CertificateManager initCertificateManager() {
+        boolean useCadi = "cadi".equalsIgnoreCase(dmaapConfig.getProperty("CertificateManagement", "legacy"));
+        logger.info("CertificateManagerFactory: useCadi=", useCadi);
+        
+        if ( useCadi ) {
+        	return new CadiCertificateManager( dmaapConfig );
+        }
+        return new LegacyCertificateManager( dmaapConfig );
+    }
+
+
+}
diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java
new file mode 100644
index 0000000..e0f554d
--- /dev/null
+++ b/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java
@@ -0,0 +1,98 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.dmaap.dbcapi.server;
+
+import org.onap.dmaap.dbcapi.logging.BaseLoggingClass;
+
+public abstract class CertificateManager extends BaseLoggingClass{
+	
+	class cmAttribute {
+		private String type;
+		private	String file;
+		private	String password;
+		
+		private String getType() {
+			return type;
+		}
+		private void setType(String certificateType) {
+			this.type = certificateType;
+		}
+		private String getFile() {
+			return file;
+		}
+		private void setFile(String keyStoreFile) {
+			this.file = keyStoreFile;
+		}
+		private void setPassword( String pwd ) {
+			this.password = pwd;
+		}
+		private String getPassword() {
+			return password;
+		}
+	}
+
+	private cmAttribute keyStore;
+	private cmAttribute	trustStore;
+	protected boolean ready;
+
+	public boolean isReady() {
+		return ready;
+	}
+	
+	public String getKeyStoreType() {
+		return keyStore.getType();
+	}
+	public void setKeyStoreType(String certificateType) {
+		this.keyStore.setType( certificateType) ;
+	}
+	public String getKeyStoreFile() {
+		return keyStore.getFile();
+	}
+	public void setKeyStoreFile(String keyStoreFile) {
+		this.keyStore.setFile(keyStoreFile);
+	}
+
+	public String getKeyStorePassword() {
+		return keyStore.getPassword();
+	}
+	public void setKeyStorePassword(String keyStorePassword) {
+		this.keyStore.setPassword(keyStorePassword);
+	}
+	public String getTrustStoreType() {
+		return trustStore.getType();
+	}
+	public void setTrustStoreType( String type ) {
+		this.trustStore.setType(type);
+	}
+	public String getTrustStoreFile() {
+		return trustStore.getFile();
+	}
+	public void setTrustStoreFile(String trustStoreFile) {
+		this.trustStore.setFile(trustStoreFile);
+	}
+	public String getTrustStorePassword() {
+		return trustStore.getPassword();
+	}
+	public void setTrustStorePassword(String trustStorePassword) {
+		this.trustStore.setPassword(trustStorePassword);
+	}
+
+}
diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java b/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java
index 6a75d65..74a0fa6 100644
--- a/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java
+++ b/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java
@@ -76,20 +76,26 @@ public class JettyServer extends BaseLoggingClass {
             SslContextFactory sslContextFactory = new SslContextFactory.Server();
             sslContextFactory.setWantClientAuth(true);
 
-            setUpKeystore(params, sslContextFactory);
-            setUpTrustStore(params, sslContextFactory);
-
-            if (sslPort != 0) {
-                try (ServerConnector sslConnector = new ServerConnector(server,
-                    new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
-                    new HttpConnectionFactory(https_config))) {
-                    sslConnector.setPort(sslPort);
-                    server.addConnector(sslConnector);
-                    serverLogger.info("Starting sslConnector on port " + sslPort + " for https");
-                }
+            CertificateManager certificateManager = new CertficateManagerFactory(params).initCertificateManager();
+            if ( ! certificateManager.isReady()) {
+            	serverLogger.error("CertificateManager is not ready.  NOT starting https!");
             } else {
-                serverLogger.info("NOT starting sslConnector because InHttpsPort param is " + sslPort );
-            }
+            	setUpKeystore(certificateManager, sslContextFactory);
+            	setUpTrustStore(certificateManager, sslContextFactory);
+          
+
+	            if (sslPort != 0) {
+	                try (ServerConnector sslConnector = new ServerConnector(server,
+	                    new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
+	                    new HttpConnectionFactory(https_config))) {
+	                    sslConnector.setPort(sslPort);
+	                    server.addConnector(sslConnector);
+	                    serverLogger.info("Starting sslConnector on port " + sslPort + " for https");
+	                }
+	            } else {
+	                serverLogger.info("NOT starting sslConnector because InHttpsPort param is " + sslPort );
+	            }
+            } 
             if (allowHttp) {
                 serverLogger.info("Starting httpConnector on port " + httpPort);
                 server.addConnector(httpConnector);
@@ -141,19 +147,20 @@ public class JettyServer extends BaseLoggingClass {
             Sets.newEnumSet(Sets.newHashSet(DispatcherType.FORWARD, DispatcherType.REQUEST), DispatcherType.class));
     }
 
-    private void setUpKeystore(Properties params, SslContextFactory sslContextFactory) {
-        String keystore = params.getProperty("KeyStoreFile", "etc/keystore");
+    private void setUpKeystore(CertificateManager certificateManager, SslContextFactory sslContextFactory) {
+        String keystore = certificateManager.getKeyStoreFile();
         logger.info("https Server using keystore at " + keystore);
         sslContextFactory.setKeyStorePath(keystore);
-        sslContextFactory.setKeyStorePassword(params.getProperty("KeyStorePassword", "changeit"));
-        sslContextFactory.setKeyManagerPassword(params.getProperty("KeyPassword", "changeit"));
+        sslContextFactory.setKeyStoreType(certificateManager.getKeyStoreType());
+        sslContextFactory.setKeyStorePassword(certificateManager.getKeyStorePassword());
+        sslContextFactory.setKeyManagerPassword(certificateManager.getKeyStorePassword());
     }
 
-    private void setUpTrustStore(Properties params, SslContextFactory sslContextFactory) {
-        String truststore = params.getProperty("TrustStoreFile", "etc/org.onap.dmaap-bc.trust.jks");
+    private void setUpTrustStore(CertificateManager certificateManager, SslContextFactory sslContextFactory) {
+        String truststore = certificateManager.getTrustStoreFile();
         logger.info("https Server using truststore at " + truststore);
         sslContextFactory.setTrustStorePath(truststore);
-        sslContextFactory.setTrustStoreType(params.getProperty("TrustStoreType", "jks"));
-        sslContextFactory.setTrustStorePassword(params.getProperty("TrustStorePassword", "changeit"));
+        sslContextFactory.setTrustStoreType(certificateManager.getTrustStoreType());
+        sslContextFactory.setTrustStorePassword(certificateManager.getTrustStorePassword());
     }
 }
diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java
new file mode 100644
index 0000000..bd54003
--- /dev/null
+++ b/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java
@@ -0,0 +1,39 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * org.onap.dmaap
+ * ================================================================================
+ * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.dmaap.dbcapi.server;
+
+import java.util.Properties;
+
+import org.onap.dmaap.dbcapi.util.DmaapConfig;
+
+public class LegacyCertificateManager extends CertificateManager {
+
+	public LegacyCertificateManager(Properties properties ) {
+		setKeyStoreType( properties.getProperty("KeyStoreType", "jks") );
+		setKeyStoreFile( properties.getProperty("KeyStoreFile", "etc/keystore") );
+		setKeyStorePassword( properties.getProperty("KeyStorePassword", "changeit") );
+		
+		setTrustStoreFile( properties.getProperty("TrustStoreFile", "etc/org.onap.dmaap-bc.trust.jks") );
+		setTrustStoreType( properties.getProperty("TrustStoreType", "jks") );
+		setTrustStorePassword( properties.getProperty("TrustStorePassword", "changeit") );
+		ready = true;
+	}
+
+}
diff --git a/version.properties b/version.properties
index 9afec0f..8d3835e 100644
--- a/version.properties
+++ b/version.properties
@@ -27,7 +27,7 @@
 
 major=2
 minor=0
-patch=1
+patch=2
 base_version=${major}.${minor}.${patch}
 
 # Release must be completed with git revision # in Jenkins
author	dglFromAtt <dgl@research.att.com>	2020-03-06 13:49:02 -0500
committer	dglFromAtt <dgl@research.att.com>	2020-03-06 13:49:47 -0500
commit	fdaafe26bd0dba6fa825e22f16b9819ca2771bec (patch)
tree	2d06e06c7b931d647982a98f5440a59ac9e9d883
parent	0c5fb02166b500ff6751265811030d23acfc5b5e (diff)