diff options
-rw-r--r-- | README.md | 7 | ||||
-rw-r--r-- | pom.xml | 40 | ||||
-rw-r--r-- | src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java | 11 | ||||
-rw-r--r-- | src/main/resources/application-noaaf.properties | 2 | ||||
-rw-r--r-- | src/main/resources/application.properties | 2 | ||||
-rw-r--r-- | src/main/resources/clds/aaf/org.onap.clamp.p12 | bin | 4155 -> 0 bytes | |||
-rw-r--r-- | src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java | 115 | ||||
-rw-r--r-- | src/test/resources/https/https-test.properties | 2 |
8 files changed, 88 insertions, 91 deletions
@@ -114,7 +114,12 @@ With the default log settings, all logs will be generated into console and into You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` -## Clamp AAF - Renew Certificates +## Clamp AAF - Renew Certificates +This is not required anymore as in OOM the certificate are generated automatically. +A certificate is automatically generated during the "build" and it overwrites the p12 located in the +resource clds/aaf/org.onap.clamp.p12. + + - Connect to windriver with openvpn - create a folder aaf-renewal and go to it - create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run) @@ -1266,6 +1266,46 @@ </arguments> </configuration> </plugin> + <!-- Plugin to generate a X509 Certificate for https tests --> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>keytool-maven-plugin</artifactId> + <version>1.5</version> + <executions> + <execution> + <id>add-certificate-for-dev</id> + <configuration> + <keystore>${project.build.directory}/classes/clds/aaf/org.onap.clamp.p12</keystore> + <storepass>China in the Spring</storepass> + <alias>clamptest</alias> + <storetype>PKCS12</storetype> + <keyalg>RSA</keyalg> + <dname>cn=CN, ou=OU, o=O, c=C</dname> + <validity>365</validity> + </configuration> + <goals> + <goal>generateKeyPair</goal> + </goals> + <phase>generate-resources</phase> + </execution> + <execution> + <id>add-certificate-for-test</id> + <configuration> + <keystore>${project.build.directory}/test-classes/clds/aaf/org.onap.clamp.p12</keystore> + <storepass>China in the Spring</storepass> + <alias>clamptest</alias> + <storetype>PKCS12</storetype> + <keyalg>RSA</keyalg> + <dname>cn=CN, ou=OU, o=O, c=C</dname> + <validity>365</validity> + </configuration> + <goals> + <goal>generateKeyPair</goal> + </goals> + <phase>generate-test-resources</phase> + </execution> + </executions> + </plugin> </plugins> </build> </project> diff --git a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java index 329cb4bed..a72cffd09 100644 --- a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java +++ b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights + * Copyright (C) 2019, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -74,6 +74,7 @@ public class SslConfig { password.toCharArray()); return truststore; } + }); } @@ -83,9 +84,13 @@ public class SslConfig { return (tomcat) -> tomcat.setSsl(new Ssl() { @Override public String getKeyPassword() { - String password = PassDecoder.decode(env.getProperty("server.ssl.key-password"), + return PassDecoder.decode(env.getProperty("server.ssl.key-password"), env.getProperty("clamp.config.keyFile")); - return password; + } + + @Override + public String getKeyAlias() { + return env.getProperty("server.ssl.key-alias"); } }); } diff --git a/src/main/resources/application-noaaf.properties b/src/main/resources/application-noaaf.properties index 6b28cf7ef..ba838adb8 100644 --- a/src/main/resources/application-noaaf.properties +++ b/src/main/resources/application-noaaf.properties @@ -53,7 +53,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest ## Config part for Client certificates server.ssl.client-auth=want diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1b5a26d0a..7d2d4ef1b 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -58,7 +58,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted diff --git a/src/main/resources/clds/aaf/org.onap.clamp.p12 b/src/main/resources/clds/aaf/org.onap.clamp.p12 Binary files differdeleted file mode 100644 index 268aa1a3c..000000000 --- a/src/main/resources/clds/aaf/org.onap.clamp.p12 +++ /dev/null diff --git a/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java b/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java index 9dd2130c6..1a4a2ec5f 100644 --- a/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java +++ b/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * Copyright (C) 2017-2018, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,17 +26,19 @@ package org.onap.policy.clamp.clds.it; import static org.assertj.core.api.Assertions.assertThat; import java.io.File; -import java.io.IOException; -import java.net.HttpURLConnection; import java.nio.charset.Charset; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; import org.apache.commons.io.FileUtils; -import org.junit.BeforeClass; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.TrustStrategy; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClients; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Value; @@ -44,7 +46,7 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import org.springframework.http.client.SimpleClientHttpRequestFactory; +import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringRunner; @@ -64,53 +66,13 @@ public class HttpsItCase { @Value("${server.http-to-https-redirection.port}") private String httpPort; - /** - * Setup the variable before tests execution. - */ - @BeforeClass - public static void setUp() { - try { - // setup ssl context to ignore certificate errors - SSLContext ctx = SSLContext.getInstance("TLS"); - X509TrustManager tm = new X509TrustManager() { - - @Override - public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws java.security.cert.CertificateException { - } - - @Override - public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws java.security.cert.CertificateException { - } - - @Override - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return null; - } - }; - ctx.init(null, new TrustManager[] { tm }, null); - SSLContext.setDefault(ctx); - } catch (Exception ex) { - ex.printStackTrace(); - } - } - @Test public void testDesignerIndex() throws Exception { - RestTemplate template = new RestTemplate(); - final MySimpleClientHttpRequestFactory factory = new MySimpleClientHttpRequestFactory(new HostnameVerifier() { - - @Override - public boolean verify(final String hostname, final SSLSession session) { - return true; - } - }); - template.setRequestFactory(factory); - ResponseEntity<String> entity = template.getForEntity("http://localhost:" + this.httpPort + "/swagger.html", - String.class); + ResponseEntity<String> entity = + new RestTemplate().getForEntity("http://localhost:" + this.httpPort + "/swagger.html", + String.class); assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FOUND); - ResponseEntity<String> httpsEntity = template + ResponseEntity<String> httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/swagger.html", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("Clamp Rest API"); @@ -118,16 +80,7 @@ public class HttpsItCase { @Test public void testSwaggerJson() throws Exception { - RestTemplate template = new RestTemplate(); - final MySimpleClientHttpRequestFactory factory = new MySimpleClientHttpRequestFactory(new HostnameVerifier() { - - @Override - public boolean verify(final String hostname, final SSLSession session) { - return true; - } - }); - template.setRequestFactory(factory); - ResponseEntity<String> httpsEntity = template + ResponseEntity<String> httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/restservices/clds/api-doc", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("swagger"); @@ -135,25 +88,19 @@ public class HttpsItCase { Charset.defaultCharset()); } - /** - * Http Request Factory for ignoring SSL hostname errors. Not for production - * use! - */ - class MySimpleClientHttpRequestFactory extends SimpleClientHttpRequestFactory { - - private final HostnameVerifier verifier; - - public MySimpleClientHttpRequestFactory(final HostnameVerifier verifier) { - this.verifier = verifier; - } - - @Override - protected void prepareConnection(final HttpURLConnection connection, final String httpMethod) - throws IOException { - if (connection instanceof HttpsURLConnection) { - ((HttpsURLConnection) connection).setHostnameVerifier(this.verifier); - } - super.prepareConnection(connection, httpMethod); - } + private RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException { + SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom() + .loadTrustMaterial(null, new TrustStrategy() { + @Override + public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { + return true; + } + }).build(); + SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier()); + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build(); + HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); + requestFactory.setHttpClient(httpClient); + RestTemplate restTemplate = new RestTemplate(requestFactory); + return restTemplate; } } diff --git a/src/test/resources/https/https-test.properties b/src/test/resources/https/https-test.properties index 86e444efe..aeae64036 100644 --- a/src/test/resources/https/https-test.properties +++ b/src/test/resources/https/https-test.properties @@ -31,7 +31,7 @@ server.ssl.key-store=classpath:clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted |