From e9e5777db6edcbf34d3315a034ca9be2262fd61d Mon Sep 17 00:00:00 2001 From: "k.kedron" Date: Fri, 23 Aug 2019 16:46:49 +0200 Subject: Fully HTTPS support in the catalog-fe Fully HTTPS support: -Updated jvm configuration to support call to the SDC components using HTTPS. -Checkstyle in the recipes -Added buildRestClient method to create the CloseableHttpClient supporting the SSL connection -Sonar fixes in the PluginStatusBL class Issue-ID: SDC-2516 Signed-off-by: Krystian Kedron Change-Id: I35b9e22026898d2cc67a4b2d86d9d508a33fcb59 --- .../cookbooks/sdc-catalog-fe/attributes/default.rb | 2 + .../sdc-catalog-fe/recipes/FE_4_logback.rb | 1 - .../recipes/FE_7_create_jetty_modules.rb | 4 +- catalog-fe/sdc-frontend/startup.sh | 11 +++- .../org/openecomp/sdc/fe/impl/PluginStatusBL.java | 2 +- .../sdc/fe/listen/FEAppContextListener.java | 61 ++++++++++++++++++---- 6 files changed, 64 insertions(+), 17 deletions(-) (limited to 'catalog-fe') diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/attributes/default.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/attributes/default.rb index eb30eba01c..a7c9ce1d90 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/attributes/default.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/attributes/default.rb @@ -6,6 +6,8 @@ default['FE'][:https_port] = 9443 default['disableHttp'] = true default['jetty'][:keystore_pwd] = "rTIS;B4kM]2GHcNK2c3B4&Ng" default['jetty'][:keymanager_pwd] = "rTIS;B4kM]2GHcNK2c3B4&Ng" +# TO CHANGE THE TRUSTSTORE CERT THE JVM CONFIGURATION +# MUST BE ALSO CHANGE IN THE startup.sh FILE default['jetty'][:truststore_pwd] = "Y,f975ZNJfVZhV*{+Y[}pA?0" #Onboard diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_4_logback.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_4_logback.rb index 67c511408c..f26418372b 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_4_logback.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_4_logback.rb @@ -4,4 +4,3 @@ cookbook_file "#{ENV['JETTY_BASE']}/config/catalog-fe/logback.xml" do owner "jetty" group "jetty" end - diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb index b1c32b9506..bf756fb1c6 100644 --- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb +++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb @@ -23,7 +23,7 @@ template "http-ini" do owner "jetty" group "jetty" mode "0755" - variables ({ + variables({ :http_option => http_option , :http_port => "#{node['FE'][:http_port]}" }) @@ -46,7 +46,7 @@ template "ssl-ini" do owner "jetty" group "jetty" mode "0755" - variables ({ + variables({ :https_port => "#{node['FE'][:https_port]}" , :jetty_keystore_pwd => "#{node['jetty'][:keystore_pwd]}" , :jetty_keymanager_pwd => "#{node['jetty'][:keymanager_pwd]}" , diff --git a/catalog-fe/sdc-frontend/startup.sh b/catalog-fe/sdc-frontend/startup.sh index d8f522d3e1..99cdaf0f48 100644 --- a/catalog-fe/sdc-frontend/startup.sh +++ b/catalog-fe/sdc-frontend/startup.sh @@ -1,6 +1,14 @@ #!/bin/sh -JAVA_OPTIONS=" ${JAVA_OPTIONS} -Dconfig.home=${JETTY_BASE}/config -Dlog.home=${JETTY_BASE}/logs -Dlogback.configurationFile=${JETTY_BASE}/config/catalog-fe/logback.xml -Dconfiguration.yaml=${JETTY_BASE}/config/catalog-fe/configuration.yaml -Donboarding_configuration.yaml=${JETTY_BASE}/config/onboarding-fe/onboarding_configuration.yaml" +JAVA_OPTIONS=" ${JAVA_OPTIONS} \ + -Dconfig.home=${JETTY_BASE}/config \ + -Dlog.home=${JETTY_BASE}/logs \ + -Dlogback.configurationFile=${JETTY_BASE}/config/catalog-fe/logback.xml \ + -Dconfiguration.yaml=${JETTY_BASE}/config/catalog-fe/configuration.yaml \ + -Donboarding_configuration.yaml=${JETTY_BASE}/config/onboarding-fe/onboarding_configuration.yaml \ + -Djavax.net.ssl.trustStore=${JETTY_BASE}/etc/org.onap.sdc.trust.jks \ + -Djavax.net.ssl.trustStorePassword=Y,f975ZNJfVZhV*{+Y[}pA?0 \ + -Djetty.console-capture.dir=${JETTY_BASE}/logs " cd /root/chef-solo chef-solo -c solo.rb -E ${ENVNAME} @@ -9,4 +17,3 @@ cd /var/lib/jetty /docker-entrypoint.sh & while true; do sleep 2; done - diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java index cdb9e0f9bf..6461ccfad6 100644 --- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/PluginStatusBL.java @@ -60,7 +60,7 @@ public class PluginStatusBL { } public String getPluginsList() { - String result = null; + String result; if (pluginsConfiguration == null || pluginsConfiguration.getPluginsList() == null) { LOGGER.warn("Configuration of type {} was not found", PluginsConfiguration.class); diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/listen/FEAppContextListener.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/listen/FEAppContextListener.java index f087f55349..a672b1b201 100644 --- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/listen/FEAppContextListener.java +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/listen/FEAppContextListener.java @@ -3,6 +3,7 @@ * SDC * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (c) 2019 Samsung * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +21,27 @@ package org.openecomp.sdc.fe.listen; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLException; +import javax.servlet.ServletContextEvent; +import javax.servlet.ServletContextListener; + +import org.apache.http.config.Registry; +import org.apache.http.config.RegistryBuilder; +import org.apache.http.conn.socket.ConnectionSocketFactory; +import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClients; +import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; +import org.apache.http.ssl.SSLContextBuilder; import org.openecomp.sdc.common.api.Constants; import org.openecomp.sdc.common.impl.ExternalConfiguration; import org.openecomp.sdc.common.listener.AppContextListener; @@ -30,15 +52,10 @@ import org.openecomp.sdc.fe.servlets.HealthCheckService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletContextEvent; -import javax.servlet.ServletContextListener; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.Executors; - public class FEAppContextListener extends AppContextListener implements ServletContextListener { - private static final int HEALTH_CHECHK_INTERVALE = 5; - private static final int PROBE_INTERVALE = 15; + private static final int HEALTH_CHECK_INTERVAL = 5; + private static final int PROBE_INTERVAL = 15; private static Logger log = LoggerFactory.getLogger(FEAppContextListener.class.getName()); public void contextInitialized(ServletContextEvent context) { @@ -51,17 +68,22 @@ public class FEAppContextListener extends AppContextListener implements ServletC ExternalConfiguration.getAppName()); context.getServletContext().setAttribute(Constants.CONFIGURATION_MANAGER_ATTR, configurationManager); - PluginStatusBL pbl = new PluginStatusBL(); - context.getServletContext().setAttribute(Constants.PLUGIN_BL_COMPONENT, pbl); + try { + PluginStatusBL pbl = new PluginStatusBL(buildRestClient()); + context.getServletContext().setAttribute(Constants.PLUGIN_BL_COMPONENT, pbl); + } catch (SSLException e) { + log.debug("ERROR: Build rest client failed because ", e); + return; + } // Health Check service HealthCheckService hcs = new HealthCheckService(context.getServletContext()); - hcs.start(configurationManager.getConfiguration().getHealthCheckIntervalInSeconds(HEALTH_CHECHK_INTERVALE)); + hcs.start(configurationManager.getConfiguration().getHealthCheckIntervalInSeconds(HEALTH_CHECK_INTERVAL)); context.getServletContext().setAttribute(Constants.HEALTH_CHECK_SERVICE_ATTR, hcs); // Monitoring service FeMonitoringService fms = new FeMonitoringService(context.getServletContext()); - fms.start(configurationManager.getConfiguration().getSystemMonitoring().getProbeIntervalInSeconds(PROBE_INTERVALE)); + fms.start(configurationManager.getConfiguration().getSystemMonitoring().getProbeIntervalInSeconds(PROBE_INTERVAL)); if (configurationManager.getConfiguration() == null) { log.debug("ERROR: configuration was not properly loaded"); @@ -87,4 +109,21 @@ public class FEAppContextListener extends AppContextListener implements ServletC } + private CloseableHttpClient buildRestClient() throws SSLException { + SSLContextBuilder builder = new SSLContextBuilder(); + try { + builder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); + SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( + SSLContext.getDefault(), NoopHostnameVerifier.INSTANCE); + Registry registry = + RegistryBuilder.create() + .register("http", new PlainConnectionSocketFactory()).register("https", sslsf) + .build(); + PoolingHttpClientConnectionManager cm = + new PoolingHttpClientConnectionManager(registry); + return HttpClients.custom().setSSLSocketFactory(sslsf).setConnectionManager(cm).build(); + } catch (NoSuchAlgorithmException | KeyStoreException e) { + throw new SSLException(e); + } + } } -- cgit 1.2.3-korg