Accept only Whitelisted Repos from Tosca Template

Issue-ID: POLICY-3894
Change-Id: Iaffaf3f1243f6070c600a58891899e9e1e326732
Signed-off-by: Lathish <lathishbabu.ganesan@est.tech>

6 files changed, 89 insertions, 23 deletions

diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java
new file mode 100644
index 000000000..4d00e38ec
--- /dev/null
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java
@@ -0,0 +1,41 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2022 Nordix Foundation.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.policy.clamp.acm.participant.kubernetes.configurations;
+
+import java.lang.invoke.MethodHandles;
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Data;
+import org.onap.policy.clamp.acm.participant.kubernetes.models.HelmRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Component
+@ConfigurationProperties(prefix = "helm")
+@Data
+public class HelmRepositoryConfig {
+
+    private final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+    private List<HelmRepository> repos = new ArrayList<>();
+}
diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/handler/AutomationCompositionElementHandler.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/handler/AutomationCompositionElementHandler.java
index 753608686..b4cca3acf 100644
--- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/handler/AutomationCompositionElementHandler.java
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/handler/AutomationCompositionElementHandler.java
@@ -146,13 +146,14 @@ public class AutomationCompositionElementHandler implements AutomationCompositio
         LOGGER.info("Installation request received for the Helm Chart {} ", chartData);
         try {
             var chartInfo = CODER.convert(chartData, ChartInfo.class);
-            chartService.installChart(chartInfo);
-            chartMap.put(element.getId(), chartInfo);
-
-            var config = CODER.convert(nodeTemplate.getProperties(), ThreadConfig.class);
-            checkPodStatus(automationCompositionId, element.getId(), chartInfo, config.uninitializedToPassiveTimeout,
-                    config.podStatusCheckInterval);
-
+            if (chartService.installChart(chartInfo)) {
+                chartMap.put(element.getId(), chartInfo);
+
+                var config = CODER.convert(nodeTemplate.getProperties(),
+                        ThreadConfig.class);
+                checkPodStatus(automationCompositionId, element.getId(), chartInfo,
+                        config.uninitializedToPassiveTimeout, config.podStatusCheckInterval);
+            }
         } catch (ServiceException | CoderException | IOException | ExecutionException
                 | InterruptedException e) {
             LOGGER.warn("Installation of Helm chart failed", e);
diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/helm/HelmClient.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/helm/HelmClient.java
index 6a7c62b2e..f3f7d3427 100644
--- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/helm/HelmClient.java
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/helm/HelmClient.java
@@ -190,18 +190,14 @@ public class HelmClient {
         if (StringUtils.isEmpty(repo.getAddress())) {
             throw new ServiceException("Repository Should have valid address");
         }
-        var url = repo.getProtocol() + "://" + repo.getAddress();
-        if (repo.getPort() != null) {
-            url =  url + ":" + repo.getPort();
-        }
         // @formatter:off
         List<String> helmArguments = new ArrayList<>(
                 List.of(
                         "helm",
                         "repo",
-                        "add", repo.getRepoName(), url
+                        "add", repo.getRepoName(), repo.getAddress()
                 ));
-        if (repo.getUserName() != null && repo.getPassword() != null) {
+        if (!StringUtils.isEmpty(repo.getUserName()) && !StringUtils.isEmpty(repo.getPassword())) {
             helmArguments.addAll(List.of("--username", repo.getUserName(), "--password",  repo.getPassword()));
         }
         return new ProcessBuilder().command(helmArguments);
diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/models/HelmRepository.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/models/HelmRepository.java
index 2e25e42a6..ff3b9e336 100644
--- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/models/HelmRepository.java
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/models/HelmRepository.java
@@ -1,6 +1,6 @@
 /*-
  * ========================LICENSE_START=================================
- * Copyright (C) 2021 Nordix Foundation. All rights reserved.
+ * Copyright (C) 2021-2022 Nordix Foundation. All rights reserved.
  * ======================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,21 +18,21 @@
 
 package org.onap.policy.clamp.acm.participant.kubernetes.models;
 
+import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
+import lombok.NoArgsConstructor;
 
 @Data
 @Builder
+@NoArgsConstructor
+@AllArgsConstructor
 public class HelmRepository {
 
     private String repoName;
 
-    private String protocol;
-
     private String address;
 
-    private String port;
-
     private String userName;
 
     private String password;
diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java
index dc4762d9a..e9cd8a2c3 100644
--- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java
@@ -21,6 +21,7 @@ package org.onap.policy.clamp.acm.participant.kubernetes.service;
 import java.io.IOException;
 import java.lang.invoke.MethodHandles;
 import java.util.Collection;
+import org.onap.policy.clamp.acm.participant.kubernetes.configurations.HelmRepositoryConfig;
 import org.onap.policy.clamp.acm.participant.kubernetes.exception.ServiceException;
 import org.onap.policy.clamp.acm.participant.kubernetes.helm.HelmClient;
 import org.onap.policy.clamp.acm.participant.kubernetes.models.ChartInfo;
@@ -41,6 +42,9 @@ public class ChartService {
     @Autowired
     private HelmClient helmClient;
 
+    @Autowired
+    private HelmRepositoryConfig helmRepositoryConfig;
+
     /**
      * Get all the installed charts.
      * @return list of charts.
@@ -84,25 +88,40 @@ public class ChartService {
     /**
      * Install a helm chart.
      * @param chart name and version.
+     * @return boolean flag to indicate success or failure
      * @throws ServiceException in case of error
      * @throws IOException in case of IO errors
      */
-    public void installChart(ChartInfo chart) throws ServiceException, IOException {
+    public boolean installChart(ChartInfo chart) throws ServiceException, IOException {
+        boolean whiteListed = false;
         if (chart.getRepository() == null) {
             String repoName = findChartRepo(chart);
             if (repoName == null) {
                 logger.error("Chart repository could not be found. Skipping chart Installation "
                     + "for the chart {} ", chart.getChartId().getName());
-                return;
+                return false;
             } else {
                 HelmRepository repo = HelmRepository.builder().repoName(repoName).build();
                 chart.setRepository(repo);
             }
         } else {
             // Add remote repository if passed via TOSCA
-            configureRepository(chart.getRepository());
+            // check whether the repo is whitelisted
+            for (HelmRepository repo : helmRepositoryConfig.getRepos()) {
+                if (repo.getAddress().equals(chart.getRepository().getAddress())
+                        && chart.getRepository().getAddress().contains("https")) {
+                    configureRepository(chart.getRepository());
+                    whiteListed = true;
+                    break;
+                }
+            }
+            if (!whiteListed) {
+                logger.error("Repository is not Whitelisted / plain http in not allowed");
+                return false;
+            }
         }
         helmClient.installChart(chart);
+        return true;
     }
 
 
diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml
index 3be0fb2c0..3718fed26 100644
--- a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml
+++ b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml
@@ -13,7 +13,7 @@ participant:
     reportingTimeIntervalMs: 120000
     description: Participant Description
     participantId:
-      name: org.onap.policy.clamp.acm.KubernetesParticipant
+      name: K8sParticipant0
       version: 2.3.4
     participantType:
       name: org.onap.k8s.acm.K8SAutomationCompositionParticipant
@@ -46,7 +46,7 @@ server:
 logging:
   # Configuration of logging
   level:
-    ROOT: ERROR
+    ROOT: INFO
     org.springframework: ERROR
     org.springframework.data: ERROR
     org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR
@@ -58,3 +58,12 @@ logging:
 chart:
   api:
     enabled: false
+
+helm:
+  repos:
+    -
+      repoName: kong
+      address: https://charts.konghq.com
+    -
+      repoName: bitnami
+      address: https://charts.bitnami.com/bitnami
\ No newline at end of file