From 222555c7995645416a47bc52ed8837e3afde8e21 Mon Sep 17 00:00:00 2001 From: MichaelMorris Date: Fri, 2 Jun 2023 11:38:36 +0000 Subject: Revert "Support SIP TLS" This reverts commit a2feaf9b65cbba66181fb560b5815a62427d65cc. Reason for revert: deployment issue Change-Id: Ic21e213493f51d0c11778187ab054881bba7c21e Issue-ID: SDC-4483 Signed-off-by: MichaelMorris --- catalog-be/pom.xml | 52 ++++--- catalog-be/src/main/docker/backend/Dockerfile | 2 +- .../cookbooks/sdc-catalog-be/attributes/default.rb | 4 +- .../sdc-catalog-be/recipes/BE_4_jetty_Modules.rb | 2 - .../sdc-catalog-be/templates/default/ssl-ini.erb | 8 +- .../sdc/be/filters/BeCadiServletFilter.java | 151 +++++++++++++++++++++ .../sdc/be/listen/BEAppContextListener.java | 1 - .../sdc/config/CatalogBESpringConfig.java | 52 +------ 8 files changed, 196 insertions(+), 76 deletions(-) create mode 100644 catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java (limited to 'catalog-be') diff --git a/catalog-be/pom.xml b/catalog-be/pom.xml index d503b0b36a..d1f0d2e479 100644 --- a/catalog-be/pom.xml +++ b/catalog-be/pom.xml @@ -1,6 +1,6 @@ + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 catalog-be @@ -19,7 +19,6 @@ 3.2.0 1.5.3 ${project.version} - 7.4.11 @@ -221,11 +220,11 @@ - - io.micrometer - micrometer-registry-prometheus - ${micrometer.version} - + + io.micrometer + micrometer-registry-prometheus + ${micrometer.version} + ch.qos.logback @@ -632,6 +631,7 @@ compile + com.att.nsa @@ -834,6 +834,31 @@ + + + org.onap.aaf.authz + aaf-cadi-aaf + ${cadi.version} + + + com.datastax.cassandra + cassandra-driver-core + + + org.slf4j + slf4j-log4j12 + + + log4j + log4j + + + javax.servlet + javax.servlet-api + + + + org.assertj @@ -1045,17 +1070,6 @@ kafka-clients - - io.github.hakky54 - sslcontext-kickstart-for-jetty - ${io.github.hakky54.version} - - - io.github.hakky54 - sslcontext-kickstart - ${io.github.hakky54.version} - - diff --git a/catalog-be/src/main/docker/backend/Dockerfile b/catalog-be/src/main/docker/backend/Dockerfile index c5c36d6bc0..d33f67c156 100644 --- a/catalog-be/src/main/docker/backend/Dockerfile +++ b/catalog-be/src/main/docker/backend/Dockerfile @@ -1,4 +1,4 @@ -FROM onap/integration-java11:10.0.0 +FROM onap/integration-java11:9.0.0 USER root ARG JETTY_FOLDER=/app/jetty diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb index ba94e21449..a3e519826c 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/attributes/default.rb @@ -11,11 +11,11 @@ default['disableHttp'] = true #| Jetty | #| | #+----------------------------------+ + default['jetty']['dmaap_truststore_pwd'] = "dmaap_truststore_pwd" -default['jetty']['keystore_path'] = "etc/org.onap.sdc.p12" default['jetty']['keystore_pwd'] = "?(kP!Yur![*!Y5!E^f(ZKc31" default['jetty']['keymanager_pwd'] = "?(kP!Yur![*!Y5!E^f(ZKc31" -default['jetty']['truststore_path'] = "etc/org.onap.sdc.trust.jks" +default['jetty']['truststore_path'] = "#{ENV['JETTY_BASE']}/etc/truststore" # TO CHANGE THE TRUSTSTORE CERT THE JVM CONFIGURATION # MUST BE ALSO CHANGE IN THE startup.sh FILE default['jetty'][:truststore_pwd] = "z+KEj;t+,KN^iimSiS89e#p0" diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb index ad66a67e22..5655d0fd6f 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb @@ -51,10 +51,8 @@ template "ssl-ini" do mode "0755" variables ({ :https_port => "#{node['BE'][:https_port]}" , - :jetty_keystore_path => "#{node['jetty'][:keystore_path]}" , :jetty_keystore_pwd => "#{node['jetty'][:keystore_pwd]}" , :jetty_keymanager_pwd => "#{node['jetty'][:keymanager_pwd]}" , - :jetty_truststore_path => "#{node['jetty'][:truststore_path]}", :jetty_truststore_pwd => "#{node['jetty'][:truststore_pwd]}" }) end diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb index c489825c7b..278fdea2ae 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb @@ -42,17 +42,17 @@ jetty.ssl.port=<%= @https_port %> ## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html ## Keystore file path (relative to $jetty.base) -jetty.sslContext.keyStorePath=<%= @jetty_keystore_path %> +jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 ## Truststore file path (relative to $jetty.base) -jetty.sslContext.trustStorePath=<%= @jetty_truststore_path %> +jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks ## Keystore password # jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 jetty.sslContext.keyStorePassword=<%= @jetty_keystore_pwd %> ## Keystore type and provider -jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreType=JKS # jetty.sslContext.keyStoreProvider= ## KeyManager password @@ -64,7 +64,7 @@ jetty.sslContext.keyManagerPassword=<%= @jetty_keymanager_pwd %> jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %> ## Truststore type and provider -jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreType=JKS # jetty.sslContext.trustStoreProvider= ## whether client certificate authentication is required diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java new file mode 100644 index 0000000000..7edd1621b1 --- /dev/null +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeCadiServletFilter.java @@ -0,0 +1,151 @@ +/*- + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.openecomp.sdc.be.filters; + +import java.io.IOException; +import java.util.function.Supplier; +import javax.annotation.Priority; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.CadiFilter; +import org.openecomp.sdc.be.components.impl.CADIHealthCheck; +import org.openecomp.sdc.be.config.CadiFilterParams; +import org.openecomp.sdc.be.config.ConfigurationManager; +import org.openecomp.sdc.be.impl.WebAppContextWrapper; +import org.openecomp.sdc.common.api.Constants; +import org.openecomp.sdc.common.api.HealthCheckInfo; +import org.openecomp.sdc.common.log.wrappers.Logger; +import org.openecomp.sdc.common.util.ThreadLocalsHolder; +import org.springframework.web.context.WebApplicationContext; + +@Priority(2) +public class BeCadiServletFilter extends CadiFilter { + + private static final Logger log = Logger.getLogger(BeCadiServletFilter.class); + private static final String BE_CADI_SERVICE_FILTER = "BeCadiServletFilter: "; + private ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + + public BeCadiServletFilter() { + super(); + log.debug(BE_CADI_SERVICE_FILTER); + } + + /** + * This constructor to be used when directly constructing and placing in HTTP Engine + * + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public BeCadiServletFilter(Access access, Object... moreTafLurs) throws ServletException { + super(access, moreTafLurs); + log.debug(BE_CADI_SERVICE_FILTER); + } + + /** + * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it + * + * @param init + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public BeCadiServletFilter(boolean init, PropAccess access, Object... moreTafLurs) throws ServletException { + super(init, access, moreTafLurs); + log.debug(BE_CADI_SERVICE_FILTER); + } + + private void checkIfNullProperty(String key, String value) { + /* When value is null, so not defined in application.properties + set nothing in System properties */ + if (value != null) { + /* Ensure that any properties already defined in System.prop by JVM params + won't be overwritten by Spring application.properties values */ + System.setProperty(key, System.getProperty(key, value)); + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + // set some properties in System so that Cadi filter will find its config + + // The JVM values set will always overwrite the Spring ones. + CadiFilterParams cadiFilterParams = configurationManager.getConfiguration().getCadiFilterParams(); + checkIfNullProperty(Config.HOSTNAME, cadiFilterParams.getHostname()); + log.debug("BeCadiServletFilter: HOSTNAME", cadiFilterParams.getHostname()); + checkIfNullProperty(Config.CADI_KEYFILE, cadiFilterParams.getCadi_keyfile()); + checkIfNullProperty(Config.CADI_LOGLEVEL, cadiFilterParams.getCadi_loglevel()); + checkIfNullProperty(Config.CADI_LATITUDE, cadiFilterParams.getAFT_LATITUDE()); + checkIfNullProperty(Config.CADI_LONGITUDE, cadiFilterParams.getAFT_LONGITUDE()); + checkIfNullProperty(Config.AAF_URL, cadiFilterParams.getAaf_url()); + //checkIfNullProperty(Config.AAF_LOCATE_URL, cadiFilterParams.getAafLocateUrl()); + checkIfNullProperty(Config.AAF_APPID, cadiFilterParams.getAaf_id()); + checkIfNullProperty(Config.AAF_APPPASS, cadiFilterParams.getAaf_password()); + checkIfNullProperty(Config.AAF_ENV, cadiFilterParams.getAFT_ENVIRONMENT()); + checkIfNullProperty(Config.CADI_X509_ISSUERS, cadiFilterParams.getCadiX509Issuers()); + checkIfNullProperty(Config.CADI_TRUSTSTORE, cadiFilterParams.getCadi_truststore()); + checkIfNullProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadiFilterParams.getCadi_truststore_password()); + super.init(filterConfig); + log.debug("BeCadiServletFilter finishing init(), Current status of CADI would be UP"); + if (!isNeedAuth()) { + CADIHealthCheck.getCADIHealthCheckInstance().setIsCADIUp(HealthCheckInfo.HealthCheckStatus.DOWN); + } else { + CADIHealthCheck.getCADIHealthCheckInstance().setIsCADIUp(HealthCheckInfo.HealthCheckStatus.UP); + } + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + if (ThreadLocalsHolder.isExternalRequest() && isNeedAuth()) { + log.debug("doFilter: {}", request.getContentType()); + HttpServletRequest hreq = (HttpServletRequest) request; + log.debug("Need aaf authentication : {}", hreq); + ThreadLocalUtils threadLocalUtils = getThreadLocalUtils(((HttpServletRequest) request).getSession().getServletContext()); + threadLocalUtils.setUserContext((HttpServletRequest) request); + super.doFilter(request, response, chain); + } else { + log.debug("No need aaf authentication"); + chain.doFilter(request, response); + } + } + + private boolean isNeedAuth() { + return configurationManager.getConfiguration().getAafAuthNeeded(); + } + + ThreadLocalUtils getThreadLocalUtils(ServletContext context) { + return getClassFromWebAppContext(context, () -> ThreadLocalUtils.class); + } + + T getClassFromWebAppContext(ServletContext context, Supplier> businessLogicClassGen) { + WebAppContextWrapper webApplicationContextWrapper = (WebAppContextWrapper) context + .getAttribute(Constants.WEB_APPLICATION_CONTEXT_WRAPPER_ATTR); + WebApplicationContext webApplicationContext = webApplicationContextWrapper.getWebAppContext(context); + return webApplicationContext.getBean(businessLogicClassGen.get()); + } +} diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java b/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java index 0bd921db54..76be33cedf 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/listen/BEAppContextListener.java @@ -39,7 +39,6 @@ public class BEAppContextListener extends AppContextListener implements ServletC private static final String MANIFEST_FILE_NAME = "/META-INF/MANIFEST.MF"; private static final Logger log = Logger.getLogger(BEAppContextListener.class); - @Override public void contextInitialized(ServletContextEvent context) { super.contextInitialized(context); ConfigurationManager configurationManager = new ConfigurationManager(ExternalConfiguration.getConfigurationSource()); diff --git a/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java b/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java index c423795a2f..b38210116c 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/config/CatalogBESpringConfig.java @@ -21,11 +21,7 @@ */ package org.openecomp.sdc.config; -import nl.altindag.ssl.SSLFactory; -import nl.altindag.ssl.util.JettySslUtils; import org.apache.http.impl.client.CloseableHttpClient; -import org.eclipse.jetty.util.ssl.SslContextFactory; -import org.onap.config.api.JettySSLUtils; import org.onap.portalsdk.core.onboarding.exception.CipherUtilException; import org.onap.sdc.security.PortalClient; import org.openecomp.sdc.be.auditing.impl.ConfigurationProvider; @@ -33,27 +29,19 @@ import org.openecomp.sdc.be.components.impl.ComponentLocker; import org.openecomp.sdc.be.components.impl.aaf.RoleAuthorizationHandler; import org.openecomp.sdc.be.components.impl.lock.ComponentLockAspect; import org.openecomp.sdc.be.components.lifecycle.LifecycleBusinessLogic; -import org.openecomp.sdc.be.config.Configuration; import org.openecomp.sdc.be.config.ConfigurationManager; import org.openecomp.sdc.be.ecomp.converters.AssetMetadataConverter; import org.openecomp.sdc.be.filters.FilterConfiguration; import org.openecomp.sdc.be.filters.PortalConfiguration; import org.openecomp.sdc.be.filters.ThreadLocalUtils; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; -import javax.net.ssl.SSLSessionContext; -import javax.net.ssl.X509ExtendedKeyManager; -import javax.net.ssl.X509ExtendedTrustManager; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.StandardOpenOption; - - // @formatter:off -@org.springframework.context.annotation.Configuration +@Configuration @ComponentScan({ "org.openecomp.sdc.be.user", "org.openecomp.sdc.be.facade.operations", @@ -85,11 +73,10 @@ public class CatalogBESpringConfig { private static final int BEFORE_TRANSACTION_MANAGER = 0; private final ComponentLocker componentLocker; - private final JettySSLUtils.JettySslConfig sslConfig; + @Autowired public CatalogBESpringConfig(ComponentLocker componentLocker) { this.componentLocker = componentLocker; - sslConfig = JettySSLUtils.getSSLConfig(); } @Bean(name = "lifecycleBusinessLogic") @@ -145,36 +132,7 @@ public class CatalogBESpringConfig { } @Bean - public Configuration configuration() { + public org.openecomp.sdc.be.config.Configuration configuration() { return ConfigurationManager.getConfigurationManager().getConfiguration(); } - - @Bean - public SSLFactory sslFactory() throws IOException { - return SSLFactory.builder().withSwappableIdentityMaterial() - .withIdentityMaterial(Files.newInputStream(Path.of(sslConfig.getKeystorePath()), StandardOpenOption.READ), sslConfig.getKeystorePass().toCharArray(), sslConfig.getKeystoreType()).withSwappableTrustMaterial() - .withTrustMaterial(Files.newInputStream(Path.of(sslConfig.getTruststorePath()), StandardOpenOption.READ), sslConfig.getTruststorePass().toCharArray(), sslConfig.getTruststoreType()).withNeedClientAuthentication() - .build(); - } - - @Bean - public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) { - return JettySslUtils.forServer(sslFactory); - } - - @Bean - public X509ExtendedKeyManager keyManager(SSLFactory sslFactory) throws Exception { - return sslFactory.getKeyManager().orElseThrow(Exception::new); - } - - @Bean - public X509ExtendedTrustManager trustManager(SSLFactory sslFactory) throws Exception { - return sslFactory.getTrustManager().orElseThrow(Exception::new); - } - - @Bean - public SSLSessionContext serverSessionContext(SSLFactory sslFactory) { - return sslFactory.getSslContext().getServerSessionContext(); - } - } -- cgit 1.2.3-korg