From d2178bc9f7d6c06f60a3a8afecd83e428d84cd78 Mon Sep 17 00:00:00 2001 From: sebdet Date: Mon, 8 Feb 2021 14:36:11 +0100 Subject: Remove test usage of the AAF certificate Fix the broken build by removing the need of the useless certificate, a new one is now generate during the build for the tests. Issue-ID: POLICY-3036 Signed-off-by: sebdet Change-Id: I11c2ff5aac8a99c7a2b7e676d6c11bbc861a1de4 Signed-off-by: sebdet --- README.md | 7 +- pom.xml | 40 +++++++ .../onap/policy/clamp/clds/config/SslConfig.java | 11 +- src/main/resources/application-noaaf.properties | 2 +- src/main/resources/application.properties | 2 +- src/main/resources/clds/aaf/org.onap.clamp.p12 | Bin 4155 -> 0 bytes .../org/onap/policy/clamp/clds/it/HttpsItCase.java | 115 ++++++--------------- src/test/resources/https/https-test.properties | 2 +- 8 files changed, 88 insertions(+), 91 deletions(-) delete mode 100644 src/main/resources/clds/aaf/org.onap.clamp.p12 diff --git a/README.md b/README.md index 031c0e8ef..ba194ec33 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,12 @@ With the default log settings, all logs will be generated into console and into You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` -## Clamp AAF - Renew Certificates +## Clamp AAF - Renew Certificates +This is not required anymore as in OOM the certificate are generated automatically. +A certificate is automatically generated during the "build" and it overwrites the p12 located in the +resource clds/aaf/org.onap.clamp.p12. + + - Connect to windriver with openvpn - create a folder aaf-renewal and go to it - create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run) diff --git a/pom.xml b/pom.xml index 6125e686d..92caece96 100644 --- a/pom.xml +++ b/pom.xml @@ -1266,6 +1266,46 @@ + + + org.codehaus.mojo + keytool-maven-plugin + 1.5 + + + add-certificate-for-dev + + ${project.build.directory}/classes/clds/aaf/org.onap.clamp.p12 + China in the Spring + clamptest + PKCS12 + RSA + cn=CN, ou=OU, o=O, c=C + 365 + + + generateKeyPair + + generate-resources + + + add-certificate-for-test + + ${project.build.directory}/test-classes/clds/aaf/org.onap.clamp.p12 + China in the Spring + clamptest + PKCS12 + RSA + cn=CN, ou=OU, o=O, c=C + 365 + + + generateKeyPair + + generate-test-resources + + + diff --git a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java index 329cb4bed..a72cffd09 100644 --- a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java +++ b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights + * Copyright (C) 2019, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -74,6 +74,7 @@ public class SslConfig { password.toCharArray()); return truststore; } + }); } @@ -83,9 +84,13 @@ public class SslConfig { return (tomcat) -> tomcat.setSsl(new Ssl() { @Override public String getKeyPassword() { - String password = PassDecoder.decode(env.getProperty("server.ssl.key-password"), + return PassDecoder.decode(env.getProperty("server.ssl.key-password"), env.getProperty("clamp.config.keyFile")); - return password; + } + + @Override + public String getKeyAlias() { + return env.getProperty("server.ssl.key-alias"); } }); } diff --git a/src/main/resources/application-noaaf.properties b/src/main/resources/application-noaaf.properties index 6b28cf7ef..ba838adb8 100644 --- a/src/main/resources/application-noaaf.properties +++ b/src/main/resources/application-noaaf.properties @@ -53,7 +53,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest ## Config part for Client certificates server.ssl.client-auth=want diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1b5a26d0a..7d2d4ef1b 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -58,7 +58,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted diff --git a/src/main/resources/clds/aaf/org.onap.clamp.p12 b/src/main/resources/clds/aaf/org.onap.clamp.p12 deleted file mode 100644 index 268aa1a3c..000000000 Binary files a/src/main/resources/clds/aaf/org.onap.clamp.p12 and /dev/null differ diff --git a/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java b/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java index 9dd2130c6..1a4a2ec5f 100644 --- a/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java +++ b/src/test/java/org/onap/policy/clamp/clds/it/HttpsItCase.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights + * Copyright (C) 2017-2018, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,17 +26,19 @@ package org.onap.policy.clamp.clds.it; import static org.assertj.core.api.Assertions.assertThat; import java.io.File; -import java.io.IOException; -import java.net.HttpURLConnection; import java.nio.charset.Charset; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; +import java.security.KeyManagementException; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; import org.apache.commons.io.FileUtils; -import org.junit.BeforeClass; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.TrustStrategy; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClients; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Value; @@ -44,7 +46,7 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import org.springframework.http.client.SimpleClientHttpRequestFactory; +import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringRunner; @@ -64,53 +66,13 @@ public class HttpsItCase { @Value("${server.http-to-https-redirection.port}") private String httpPort; - /** - * Setup the variable before tests execution. - */ - @BeforeClass - public static void setUp() { - try { - // setup ssl context to ignore certificate errors - SSLContext ctx = SSLContext.getInstance("TLS"); - X509TrustManager tm = new X509TrustManager() { - - @Override - public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws java.security.cert.CertificateException { - } - - @Override - public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws java.security.cert.CertificateException { - } - - @Override - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return null; - } - }; - ctx.init(null, new TrustManager[] { tm }, null); - SSLContext.setDefault(ctx); - } catch (Exception ex) { - ex.printStackTrace(); - } - } - @Test public void testDesignerIndex() throws Exception { - RestTemplate template = new RestTemplate(); - final MySimpleClientHttpRequestFactory factory = new MySimpleClientHttpRequestFactory(new HostnameVerifier() { - - @Override - public boolean verify(final String hostname, final SSLSession session) { - return true; - } - }); - template.setRequestFactory(factory); - ResponseEntity entity = template.getForEntity("http://localhost:" + this.httpPort + "/swagger.html", - String.class); + ResponseEntity entity = + new RestTemplate().getForEntity("http://localhost:" + this.httpPort + "/swagger.html", + String.class); assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FOUND); - ResponseEntity httpsEntity = template + ResponseEntity httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/swagger.html", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("Clamp Rest API"); @@ -118,16 +80,7 @@ public class HttpsItCase { @Test public void testSwaggerJson() throws Exception { - RestTemplate template = new RestTemplate(); - final MySimpleClientHttpRequestFactory factory = new MySimpleClientHttpRequestFactory(new HostnameVerifier() { - - @Override - public boolean verify(final String hostname, final SSLSession session) { - return true; - } - }); - template.setRequestFactory(factory); - ResponseEntity httpsEntity = template + ResponseEntity httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/restservices/clds/api-doc", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("swagger"); @@ -135,25 +88,19 @@ public class HttpsItCase { Charset.defaultCharset()); } - /** - * Http Request Factory for ignoring SSL hostname errors. Not for production - * use! - */ - class MySimpleClientHttpRequestFactory extends SimpleClientHttpRequestFactory { - - private final HostnameVerifier verifier; - - public MySimpleClientHttpRequestFactory(final HostnameVerifier verifier) { - this.verifier = verifier; - } - - @Override - protected void prepareConnection(final HttpURLConnection connection, final String httpMethod) - throws IOException { - if (connection instanceof HttpsURLConnection) { - ((HttpsURLConnection) connection).setHostnameVerifier(this.verifier); - } - super.prepareConnection(connection, httpMethod); - } + private RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException { + SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom() + .loadTrustMaterial(null, new TrustStrategy() { + @Override + public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { + return true; + } + }).build(); + SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier()); + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build(); + HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); + requestFactory.setHttpClient(httpClient); + RestTemplate restTemplate = new RestTemplate(requestFactory); + return restTemplate; } } diff --git a/src/test/resources/https/https-test.properties b/src/test/resources/https/https-test.properties index 86e444efe..aeae64036 100644 --- a/src/test/resources/https/https-test.properties +++ b/src/test/resources/https/https-test.properties @@ -31,7 +31,7 @@ server.ssl.key-store=classpath:clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted -- cgit 1.2.3-korg