From 9c48e6785455a58d69fcbb4651fbd15575fe2747 Mon Sep 17 00:00:00 2001 From: "r.bogacki" Date: Thu, 10 Oct 2019 08:48:03 +0200 Subject: Enabled HTTPS for sdc-workflow-designer -Fixes for frontend and backend communication Change-Id: Ic8e27e1e8f116ccef23e032fbb02a99af56fa516 Issue-ID: SDC-2479 Signed-off-by: Robert Bogacki Signed-off-by: Krystian Kedron --- .../org/onap/workflow/web/SSLProxyServlet.java | 211 +++++++++++++++++++++ .../org/onap/workflow/web/TransparentProxy.java | 96 ---------- .../src/main/webapp/WEB-INF/web.xml | 7 +- 3 files changed, 214 insertions(+), 100 deletions(-) create mode 100644 workflow-designer-ui/src/main/java/org/onap/workflow/web/SSLProxyServlet.java delete mode 100644 workflow-designer-ui/src/main/java/org/onap/workflow/web/TransparentProxy.java (limited to 'workflow-designer-ui/src') diff --git a/workflow-designer-ui/src/main/java/org/onap/workflow/web/SSLProxyServlet.java b/workflow-designer-ui/src/main/java/org/onap/workflow/web/SSLProxyServlet.java new file mode 100644 index 00000000..775706d2 --- /dev/null +++ b/workflow-designer-ui/src/main/java/org/onap/workflow/web/SSLProxyServlet.java @@ -0,0 +1,211 @@ +/*- + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + + +package org.onap.workflow.web; + + +import org.eclipse.jetty.client.HttpClient; +import org.eclipse.jetty.client.api.Request; +import org.eclipse.jetty.http.HttpHeader; +import org.eclipse.jetty.http.HttpScheme; +import org.eclipse.jetty.proxy.ProxyServlet; +import org.eclipse.jetty.util.URIUtil; +import org.eclipse.jetty.util.ssl.SslContextFactory; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.Enumeration; + + +/*** + * Class that provides the proxy implementation for both secured and unsecured backend connections. + * + * The following nevironment value is mandatory: + * proxyTo - the full URL to the backend server (including protocol and context path if relevant) + * + * In case of a secured connection (proxyTo starting with https) the following may be set: + * sslTrustAll - set to true if all secure connection are accepted + * maxPoolConnections - number of connection in the pool, only when overriding the jetty default + * + * In case of SSL and nto trusting all certificates: + * keystorePath - path to the keystore + * keystoreType - type of the keystore + * keystorePassword - keystore password + * + * truststorePath - path to the truststore + * truststoreType - type of the truststore + * truststorePassword - truststore password + + */ + +public class SSLProxyServlet extends ProxyServlet { + + + public static final int TIMEOUT = 600000; + protected static final String PROXY_TO = "proxyTo"; + protected static final String TRUST_ALL = "sslTrustAll"; + protected static final String MAX_POOL_CONNECTIONS = "maxPoolConnections"; + protected static final String KEYSTORE_PATH = "keystorePath"; + protected static final String KEYSTORE_TYPE = "keystoreType"; + protected static final String KEYSTORE_P = "keystorePassword"; + protected static final String KEYMANAGER_P = "keyManagerPassword"; + protected static final String KEYSTORE_CYPHER = "keystoreCypher"; + protected static final String TRUSTSTORE_PATH = "truststorePath"; + protected static final String TRUSTSTORE_TYPE = "truststoreType"; + protected static final String TRUSTSTORE_P = "truststorePassword"; + protected static final String ENDPOINT_IDENTIFICATION_ALGORITHM = "endpointIdentificationAlgorithm"; + private static final long serialVersionUID = 1L; + private static URL proxyUrl = null; + + + private static void setProxyUrl(URL proxy) { + SSLProxyServlet.proxyUrl = proxy; + } + + private void initProxyUrl() throws ServletException, MalformedURLException { + + if (SSLProxyServlet.proxyUrl != null) + return; + String proxyUrlStr = System.getProperty(PROXY_TO); + if (proxyUrlStr == null) { + throw new ServletException("-D" + PROXY_TO + " must be specified"); + } + setProxyUrl(new URL(proxyUrlStr)); + } + + + @Override + public void init() throws ServletException { + super.init(); + try { + initProxyUrl(); + } catch (MalformedURLException e) { + throw new ServletException(e); + } + } + + + @Override + public void sendProxyRequest(HttpServletRequest request, HttpServletResponse response, Request proxyRequest) { + + @SuppressWarnings("unchecked") + Enumeration headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { + String headerName = headerNames.nextElement(); + if (!proxyRequest.getHeaders().containsKey(headerName)) { + String headerVal = request.getHeader(headerName); + proxyRequest.header(headerName, headerVal); + } + } + proxyRequest.getHeaders().remove(HttpHeader.HOST); + super.sendProxyRequest(request, response, proxyRequest); + + } + + @Override + protected HttpClient newHttpClient() { + // ioverride parent method to be able to create a secured client as well. + boolean isSecureClient = ( + proxyUrl.getProtocol() != null && + proxyUrl.getProtocol().equalsIgnoreCase(HttpScheme.HTTPS.toString())); + if ((isSecureClient)) { + String trustAll = System.getProperty(TRUST_ALL); + SslContextFactory sslContextFactory = null; + if (trustAll != null && Boolean.parseBoolean(trustAll) == Boolean.TRUE) { + sslContextFactory = new SslContextFactory.Client(true); + } else { + sslContextFactory = new SslContextFactory.Client(false); + // setting up truststore + sslContextFactory.setTrustStorePath(System.getProperty(TRUSTSTORE_PATH)); + sslContextFactory.setTrustStorePassword(System.getProperty(TRUSTSTORE_P)); + sslContextFactory.setTrustStoreType(System.getProperty(TRUSTSTORE_TYPE)); + // setting up keystore + sslContextFactory.setKeyStorePath(System.getProperty(KEYSTORE_PATH)); + sslContextFactory.setKeyStorePassword(System.getProperty(KEYSTORE_P)); + sslContextFactory.setKeyStoreType(System.getProperty(KEYSTORE_TYPE)); + sslContextFactory.setKeyManagerPassword(System.getProperty(KEYMANAGER_P)); + + if (System.getProperty(ENDPOINT_IDENTIFICATION_ALGORITHM) != null && + !System.getProperty(ENDPOINT_IDENTIFICATION_ALGORITHM).equals("")) { + sslContextFactory + .setEndpointIdentificationAlgorithm(System.getProperty(ENDPOINT_IDENTIFICATION_ALGORITHM)); + } + + if (System.getProperty(KEYSTORE_CYPHER) != null && + !System.getProperty(KEYSTORE_CYPHER).equals("")) { + sslContextFactory.setIncludeCipherSuites(System.getProperty(KEYSTORE_CYPHER)); + } + } + + return new HttpClient(sslContextFactory); + + } else { + return super.newHttpClient(); + } + + } + + @Override + protected HttpClient createHttpClient() throws ServletException { + + try { + initProxyUrl(); + } catch (MalformedURLException e) { + throw new ServletException(e); + } + // calling the parent and setting the configuration for our implementation + HttpClient client = super.createHttpClient(); + setTimeout(TIMEOUT); + client.setIdleTimeout(TIMEOUT); + client.setStopTimeout(TIMEOUT); + if (System.getProperty(MAX_POOL_CONNECTIONS) != null) { + client.setMaxConnectionsPerDestination( + Integer.valueOf(System.getProperty(MAX_POOL_CONNECTIONS))); + } + return client; + + } + + + + @Override + protected String rewriteTarget(HttpServletRequest request) { + + String path = proxyUrl.getPath(); + if (request.getServletPath() != null) { + path += request.getServletPath(); + } + if (request.getPathInfo() != null) { + path += request.getPathInfo(); + } + + return URIUtil.newURI( + proxyUrl.getProtocol(), + proxyUrl.getHost(), + proxyUrl.getPort(), + path, + request.getQueryString()); + } + +} diff --git a/workflow-designer-ui/src/main/java/org/onap/workflow/web/TransparentProxy.java b/workflow-designer-ui/src/main/java/org/onap/workflow/web/TransparentProxy.java deleted file mode 100644 index 3dc65234..00000000 --- a/workflow-designer-ui/src/main/java/org/onap/workflow/web/TransparentProxy.java +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright © 2016-2018 European Support Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.onap.workflow.web; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.Enumeration; -import javax.servlet.ServletConfig; -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import org.eclipse.jetty.proxy.ProxyServlet; - -/** - *

A naive implementation of transparent proxy based on - * Jetty proxy servlet. - * The only difference is that the proxyTo configuration parameter is taken from a JVM argument (and can - * be therefore injected via an environment variable), instead of an init-param in web.xml.

- *

Example: java -DproxyTo=http://172.17.0.9:8080 -jar $JETTY_HOME/start.jar

- *

If you get a 502 Bad Gateway error:

- *
    - *
      - * Make sure that Jetty 'proxy' module - * is not enabled. - *
    - *
      - * Check the value of proxyTo. Make sure it does not redirect to the proxy server itself. - *
    - *
      - * Make sure there is no proxy (e.g. in a corporate environment) between the servlet and proxyTo. - *
    - *
- * - * @author evitaliy - * @since 16 Jul 2018 - */ -public class TransparentProxy extends ProxyServlet.Transparent { - - @Override - public void init(ServletConfig config) throws ServletException { - super.init(new ServletConfigWrapper(config)); - } - - private class ServletConfigWrapper implements ServletConfig { - - private static final String PROXY_TO = "proxyTo"; - - private final String proxyTo; - private final ServletConfig config; - - ServletConfigWrapper(ServletConfig config) throws ServletException { - - this.proxyTo = System.getProperty(PROXY_TO); - if (this.proxyTo == null) { - throw new ServletException("-D" + PROXY_TO + " must be specified"); - } - - this.config = config; - } - - @Override - public String getServletName() { - return config.getServletName(); - } - - @Override - public ServletContext getServletContext() { - return config.getServletContext(); - } - - @Override - public String getInitParameter(String s) { - return PROXY_TO.equals(s) ? this.proxyTo : config.getInitParameter(s); - } - - @Override - public Enumeration getInitParameterNames() { - ArrayList params = Collections.list(config.getInitParameterNames()); - params.add(PROXY_TO); - return Collections.enumeration(params); - } - } -} diff --git a/workflow-designer-ui/src/main/webapp/WEB-INF/web.xml b/workflow-designer-ui/src/main/webapp/WEB-INF/web.xml index a58e1274..279b405e 100644 --- a/workflow-designer-ui/src/main/webapp/WEB-INF/web.xml +++ b/workflow-designer-ui/src/main/webapp/WEB-INF/web.xml @@ -5,14 +5,13 @@ version="4.0"> - Transparent Proxy - org.onap.workflow.web.TransparentProxy + Backend Proxy + org.onap.workflow.web.SSLProxyServlet 1 true - - Transparent Proxy + Backend Proxy /wf/* /v1.0/activity-spec/* -- cgit 1.2.3-korg