diff options
author | vasraz <vasyl.razinkov@est.tech> | 2023-05-05 11:57:56 +0100 |
---|---|---|
committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2023-05-08 13:11:02 +0000 |
commit | a2feaf9b65cbba66181fb560b5815a62427d65cc (patch) | |
tree | be49cc57d447f7bb94e717e1ee970d4b095e1473 /catalog-be/src | |
parent | af3fdfce91aeea1804c76a8571c102b78dde3794 (diff) |
Support SIP TLS
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Icbadd04cfa87302491c59f2e4a39ef92aaafcaa3
Issue-ID: SDC-4483
Diffstat (limited to 'catalog-be/src')
7 files changed, 57 insertions, 163 deletions
diff --git a/catalog-be/src/main/docker/backend/Dockerfile b/catalog-be/src/main/docker/backend/Dockerfile index db2ab154ca..5f83e75db6 100644 --- a/catalog-be/src/main/docker/backend/Dockerfile +++ b/catalog-be/src/main/docker/backend/Dockerfile @@ -1,4 +1,4 @@ -FROM onap/integration-java11:9.0.0 +FROM onap/integration-java11:10.0.0 USER root ARG JETTY_FOLDER=/app/jetty diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb index a3e519826c..ba94e21449 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb @@ -11,11 +11,11 @@ default['disableHttp'] = true #| Jetty | #| | #+----------------------------------+ - default['jetty']['dmaap_truststore_pwd'] = "dmaap_truststore_pwd" +default['jetty']['keystore_path'] = "etc/org.onap.sdc.p12" default['jetty']['keystore_pwd'] = "?(kP!Yur![*!Y5!E^f(ZKc31" default['jetty']['keymanager_pwd'] = "?(kP!Yur![*!Y5!E^f(ZKc31" -default['jetty']['truststore_path'] = "#{ENV['JETTY_BASE']}/etc/truststore" +default['jetty']['truststore_path'] = "etc/org.onap.sdc.trust.jks" # TO CHANGE THE TRUSTSTORE CERT THE JVM CONFIGURATION # MUST BE ALSO CHANGE IN THE startup.sh FILE default['jetty'][:truststore_pwd] = "z+KEj;t+,KN^iimSiS89e#p0" diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb index 5655d0fd6f..ad66a67e22 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb @@ -51,8 +51,10 @@ template "ssl-ini" do mode "0755" variables ({ :https_port => "#{node['BE'][:https_port]}" , + :jetty_keystore_path => "#{node['jetty'][:keystore_path]}" , :jetty_keystore_pwd => "#{node['jetty'][:keystore_pwd]}" , :jetty_keymanager_pwd => "#{node['jetty'][:keymanager_pwd]}" , + :jetty_truststore_path => "#{node['jetty'][:truststore_path]}", :jetty_truststore_pwd => "#{node['jetty'][:truststore_pwd]}" }) end diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb index 278fdea2ae..c489825c7b 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb @@ -42,17 +42,17 @@ jetty.ssl.port=<%= @https_port %> ## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html ## Keystore file path (relative to $jetty.base) -jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 +jetty.sslContext.keyStorePath=<%= @jetty_keystore_path %> ## Truststore file path (relative to $jetty.base) -jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks +jetty.sslContext.trustStorePath=<%= @jetty_truststore_path %> ## Keystore password # jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.keyStorePassword=<%= @jetty_keystore_pwd %> ## Keystore type and provider -# jetty.sslContext.keyStoreType=JKS +jetty.sslContext.keyStoreType=JKS # jetty.sslContext.keyStoreProvider= ## KeyManager password @@ -64,7 +64,7 @@ jetty.sslContext.keyManagerPassword=<%= @jetty_keymanager_pwd %> jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %> ## Truststore type and provider -# jetty.sslContext.trustStoreType=JKS +jetty.sslContext.trustStoreType=JKS # jetty.sslContext.trustStoreProvider= ## whether client certificate authentication is required diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java deleted file mode 100644 index 7edd1621b1..0000000000 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java +++ /dev/null @@ -1,151 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * SDC - * ================================================================================ - * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ -package org.openecomp.sdc.be.filters; - -import java.io.IOException; -import java.util.function.Supplier; -import javax.annotation.Priority; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.config.Config; -import org.onap.aaf.cadi.filter.CadiFilter; -import org.openecomp.sdc.be.components.impl.CADIHealthCheck; -import org.openecomp.sdc.be.config.CadiFilterParams; -import org.openecomp.sdc.be.config.ConfigurationManager; -import org.openecomp.sdc.be.impl.WebAppContextWrapper; -import org.openecomp.sdc.common.api.Constants; -import org.openecomp.sdc.common.api.HealthCheckInfo; -import org.openecomp.sdc.common.log.wrappers.Logger; -import org.openecomp.sdc.common.util.ThreadLocalsHolder; -import org.springframework.web.context.WebApplicationContext; - -@Priority(2) -public class BeCadiServletFilter extends CadiFilter { - - private static final Logger log = Logger.getLogger(BeCadiServletFilter.class); - private static final String BE_CADI_SERVICE_FILTER = "BeCadiServletFilter: "; - private ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); - - public BeCadiServletFilter() { - super(); - log.debug(BE_CADI_SERVICE_FILTER); - } - - /** - * This constructor to be used when directly constructing and placing in HTTP Engine - * - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public BeCadiServletFilter(Access access, Object... moreTafLurs) throws ServletException { - super(access, moreTafLurs); - log.debug(BE_CADI_SERVICE_FILTER); - } - - /** - * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it - * - * @param init - * @param access - * @param moreTafLurs - * @throws ServletException - */ - public BeCadiServletFilter(boolean init, PropAccess access, Object... moreTafLurs) throws ServletException { - super(init, access, moreTafLurs); - log.debug(BE_CADI_SERVICE_FILTER); - } - - private void checkIfNullProperty(String key, String value) { - /* When value is null, so not defined in application.properties - set nothing in System properties */ - if (value != null) { - /* Ensure that any properties already defined in System.prop by JVM params - won't be overwritten by Spring application.properties values */ - System.setProperty(key, System.getProperty(key, value)); - } - } - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - // set some properties in System so that Cadi filter will find its config - - // The JVM values set will always overwrite the Spring ones. - CadiFilterParams cadiFilterParams = configurationManager.getConfiguration().getCadiFilterParams(); - checkIfNullProperty(Config.HOSTNAME, cadiFilterParams.getHostname()); - log.debug("BeCadiServletFilter: HOSTNAME", cadiFilterParams.getHostname()); - checkIfNullProperty(Config.CADI_KEYFILE, cadiFilterParams.getCadi_keyfile()); - checkIfNullProperty(Config.CADI_LOGLEVEL, cadiFilterParams.getCadi_loglevel()); - checkIfNullProperty(Config.CADI_LATITUDE, cadiFilterParams.getAFT_LATITUDE()); - checkIfNullProperty(Config.CADI_LONGITUDE, cadiFilterParams.getAFT_LONGITUDE()); - checkIfNullProperty(Config.AAF_URL, cadiFilterParams.getAaf_url()); - //checkIfNullProperty(Config.AAF_LOCATE_URL, cadiFilterParams.getAafLocateUrl()); - checkIfNullProperty(Config.AAF_APPID, cadiFilterParams.getAaf_id()); - checkIfNullProperty(Config.AAF_APPPASS, cadiFilterParams.getAaf_password()); - checkIfNullProperty(Config.AAF_ENV, cadiFilterParams.getAFT_ENVIRONMENT()); - checkIfNullProperty(Config.CADI_X509_ISSUERS, cadiFilterParams.getCadiX509Issuers()); - checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiFilterParams.getCadi_truststore()); - checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiFilterParams.getCadi_truststore_password()); - super.init(filterConfig); - log.debug("BeCadiServletFilter finishing init(), Current status of CADI would be UP"); - if (!isNeedAuth()) { - CADIHealthCheck.getCADIHealthCheckInstance().setIsCADIUp(HealthCheckInfo.HealthCheckStatus.DOWN); - } else { - CADIHealthCheck.getCADIHealthCheckInstance().setIsCADIUp(HealthCheckInfo.HealthCheckStatus.UP); - } - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - if (ThreadLocalsHolder.isExternalRequest() && isNeedAuth()) { - log.debug("doFilter: {}", request.getContentType()); - HttpServletRequest hreq = (HttpServletRequest) request; - log.debug("Need aaf authentication : {}", hreq); - ThreadLocalUtils threadLocalUtils = getThreadLocalUtils(((HttpServletRequest) request).getSession().getServletContext()); - threadLocalUtils.setUserContext((HttpServletRequest) request); - super.doFilter(request, response, chain); - } else { - log.debug("No need aaf authentication"); - chain.doFilter(request, response); - } - } - - private boolean isNeedAuth() { - return configurationManager.getConfiguration().getAafAuthNeeded(); - } - - ThreadLocalUtils getThreadLocalUtils(ServletContext context) { - return getClassFromWebAppContext(context, () -> ThreadLocalUtils.class); - } - - <T> T getClassFromWebAppContext(ServletContext context, Supplier<Class<T>> businessLogicClassGen) { - WebAppContextWrapper webApplicationContextWrapper = (WebAppContextWrapper) context - .getAttribute(Constants.WEB_APPLICATION_CONTEXT_WRAPPER_ATTR); - WebApplicationContext webApplicationContext = webApplicationContextWrapper.getWebAppContext(context); - return webApplicationContext.getBean(businessLogicClassGen.get()); - } -} diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java b/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java index 76be33cedf..0bd921db54 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java @@ -39,6 +39,7 @@ public class BEAppContextListener extends AppContextListener implements ServletC private static final String MANIFEST_FILE_NAME = "/META-INF/MANIFEST.MF"; private static final Logger log = Logger.getLogger(BEAppContextListener.class); + @Override public void contextInitialized(ServletContextEvent context) { super.contextInitialized(context); ConfigurationManager configurationManager = new ConfigurationManager(ExternalConfiguration.getConfigurationSource()); diff --git a/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java b/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java index b38210116c..c423795a2f 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java @@ -21,7 +21,11 @@ */ package org.openecomp.sdc.config; +import nl.altindag.ssl.SSLFactory; +import nl.altindag.ssl.util.JettySslUtils; import org.apache.http.impl.client.CloseableHttpClient; +import org.eclipse.jetty.util.ssl.SslContextFactory; +import org.onap.config.api.JettySSLUtils; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; import org.onap.sdc.security.PortalClient; import org.openecomp.sdc.be.auditing.impl.ConfigurationProvider; @@ -29,19 +33,27 @@ import org.openecomp.sdc.be.components.impl.ComponentLocker; import org.openecomp.sdc.be.components.impl.aaf.RoleAuthorizationHandler; import org.openecomp.sdc.be.components.impl.lock.ComponentLockAspect; import org.openecomp.sdc.be.components.lifecycle.LifecycleBusinessLogic; +import org.openecomp.sdc.be.config.Configuration; import org.openecomp.sdc.be.config.ConfigurationManager; import org.openecomp.sdc.be.ecomp.converters.AssetMetadataConverter; import org.openecomp.sdc.be.filters.FilterConfiguration; import org.openecomp.sdc.be.filters.PortalConfiguration; import org.openecomp.sdc.be.filters.ThreadLocalUtils; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; -import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; +import javax.net.ssl.SSLSessionContext; +import javax.net.ssl.X509ExtendedKeyManager; +import javax.net.ssl.X509ExtendedTrustManager; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.StandardOpenOption; + + // @formatter:off -@Configuration +@org.springframework.context.annotation.Configuration @ComponentScan({ "org.openecomp.sdc.be.user", "org.openecomp.sdc.be.facade.operations", @@ -73,10 +85,11 @@ public class CatalogBESpringConfig { private static final int BEFORE_TRANSACTION_MANAGER = 0; private final ComponentLocker componentLocker; + private final JettySSLUtils.JettySslConfig sslConfig; - @Autowired public CatalogBESpringConfig(ComponentLocker componentLocker) { this.componentLocker = componentLocker; + sslConfig = JettySSLUtils.getSSLConfig(); } @Bean(name = "lifecycleBusinessLogic") @@ -132,7 +145,36 @@ public class CatalogBESpringConfig { } @Bean - public org.openecomp.sdc.be.config.Configuration configuration() { + public Configuration configuration() { return ConfigurationManager.getConfigurationManager().getConfiguration(); } + + @Bean + public SSLFactory sslFactory() throws IOException { + return SSLFactory.builder().withSwappableIdentityMaterial() + .withIdentityMaterial(Files.newInputStream(Path.of(sslConfig.getKeystorePath()), StandardOpenOption.READ), sslConfig.getKeystorePass().toCharArray(), sslConfig.getKeystoreType()).withSwappableTrustMaterial() + .withTrustMaterial(Files.newInputStream(Path.of(sslConfig.getTruststorePath()), StandardOpenOption.READ), sslConfig.getTruststorePass().toCharArray(), sslConfig.getTruststoreType()).withNeedClientAuthentication() + .build(); + } + + @Bean + public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) { + return JettySslUtils.forServer(sslFactory); + } + + @Bean + public X509ExtendedKeyManager keyManager(SSLFactory sslFactory) throws Exception { + return sslFactory.getKeyManager().orElseThrow(Exception::new); + } + + @Bean + public X509ExtendedTrustManager trustManager(SSLFactory sslFactory) throws Exception { + return sslFactory.getTrustManager().orElseThrow(Exception::new); + } + + @Bean + public SSLSessionContext serverSessionContext(SSLFactory sslFactory) { + return sslFactory.getSslContext().getServerSessionContext(); + } + } |