From f5a939b31eccb0f359786bed89822787c2a4c140 Mon Sep 17 00:00:00 2001 From: "waqas.ikram" Date: Fri, 5 Feb 2021 14:26:17 +0000 Subject: Adding sol003-adapter-adapter-application module Change-Id: I87957d8f06fa108d1163c0fc2d69910f40206764 Issue-ID: SO-3486 Signed-off-by: waqas.ikram --- so-etsi-sol003-adapter-application/Readme.txt | 132 +++++++++++++++++++++ so-etsi-sol003-adapter-application/pom.xml | 75 ++++++++++++ .../so/adapters/etsisol003adapter/Application.java | 57 +++++++++ ...siSol003AdapterBasicHttpSecurityConfigurer.java | 63 ++++++++++ .../src/main/resources/application-aaf.yaml | 0 .../src/main/resources/application-basic.yaml | 0 .../src/main/resources/application.yaml | 63 ++++++++++ .../src/main/resources/org.onap.so.trust.jks | Bin 0 -> 3202 bytes .../src/main/resources/so-vnfm-adapter.p12 | Bin 0 -> 5834 bytes 9 files changed, 390 insertions(+) create mode 100644 so-etsi-sol003-adapter-application/Readme.txt create mode 100755 so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/Application.java create mode 100644 so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/EtsiSol003AdapterBasicHttpSecurityConfigurer.java create mode 100644 so-etsi-sol003-adapter-application/src/main/resources/application-aaf.yaml create mode 100644 so-etsi-sol003-adapter-application/src/main/resources/application-basic.yaml create mode 100644 so-etsi-sol003-adapter-application/src/main/resources/application.yaml create mode 100644 so-etsi-sol003-adapter-application/src/main/resources/org.onap.so.trust.jks create mode 100644 so-etsi-sol003-adapter-application/src/main/resources/so-vnfm-adapter.p12 diff --git a/so-etsi-sol003-adapter-application/Readme.txt b/so-etsi-sol003-adapter-application/Readme.txt new file mode 100644 index 0000000..aaad603 --- /dev/null +++ b/so-etsi-sol003-adapter-application/Readme.txt @@ -0,0 +1,132 @@ +The following describes how to configure authentication for the VNFM adapter. + +TLS should always be configured to ensure secure communication between the VNFM-adapter <-> BPMN infra and VNFM-adapter <-> VNFM +If two-way TLS is configured then there is no need for any further authentication (i.e. no need for token or basic auth). +If two-way TLS is NOT configured then authentication is REQUIRED. Oauth token based authentication must be used for requests, while for notifications either oauth tokens or basic auth can be used. + + +========================================== +To confgure TLS +========================================== + +--------------- +VNFM Adapter +--------------- +The following parameters can be set to configure the certificate for the VNFM adapter +server: + ssl: + key-alias: so@so.onap.org + key--store-password: 'ywsqCy:EEo#j}HJHM7z^Rk[L' + key-store: classpath:so-vnfm-adapter.p12 + key-store-type: PKCS12 +The values shown above relate to the certificate included in the VNFM adapter jar which has been generated from AAF. If a different certificate is to be used then these values should be changed accordingly. + +The following paramters can be set to configure the trust store for the VNFM adapter: +http: + client: + ssl: + trust-store: classpath:org.onap.so.trust.jks + trust-store-password: ',sx#.C*W)]wVgJC6ccFHI#:H' +The values shown above relate to the trust store included in the VNFM adapter jar which has been generated from AAI. If a different trust store is to be used then these values should be changed accordingly. + +Ensure the value for the below parameter uses https instead of http +vnfmadapter: + endpoint: http://so-vnfm-adapter.onap:9092 + +--------------- +bpmn-infra +--------------- +For bpmn-infra, ensure the value for the below parameter uses https instead of http +so: + vnfm: + adapter: + url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/ + + +========================================== +To use two way TLS +========================================== + +Ensure the value for username and password are empty in the AAI entry for the VNFM (The VNFM adapter will use oauth instead of two way TLS if the username/password is set). +Ensure TLS has been configuered as detailed above. + +--------------- +VNFM adapter +--------------- +Set the following parameter for the VNFM adapter: +server: + ssl: + client-auth: need + +--------------- +bpmn-infra: +--------------- +Set the following paramters for bpmn-infra: +rest: + http: + client: + configuration: + ssl: + keyStore: classpath:org.onap.so.p12 + keyStorePassword: 'RLe5ExMWW;Kd6GTSt0WQz;.Y' + trustStore: classpath:org.onap.so.trust.jks + trustStorePassword: '6V%8oSU$,%WbYp3IUe;^mWt4' +Ensure the value for the below parameter uses https instead of http +so: + vnfm: + adapter: + url: https://so-vnfm-adapter.onap:9092/so/vnfm-adapter/v1/ + +--------------- +VNFM simulator: +--------------- +Set the following parameters for the VNFM simulator (if used): +server: + ssl: + client-auth: need + request: + grant: + auth: twowaytls + +========================================== +To use oauth token base authentication +========================================== + +--------------- +VNFM adapter: +--------------- +Ensure the value for username and password set set in the AAI entry for the VNFM. The VNFM adapter will use this username/password as the client credentials in the request for a token for the VNFM. The token endpoint +for the VNFM will by default will be derived from the service url for the VNFM in AAI as follows: /oauth/token, e.g. if the service url is https://so-vnfm-simulator.onap/vnflcm/v1 then the token url will +be taken to be https://so-vnfm-simulator.onap/oauth/token. This can be overriden using the following parameter for the VNFM adapter: +vnfmadapter: + temp: + vnfm: + oauth: + endpoint: + +The VNFM adapter exposes a token point at url: https://:/oauth/token e.g. https://so-vnfm-adapter.onap:9092/oauth/token. The VNFM can request a token from this endpoint for use in grant requests and notifications +to the VNFM adapter. The username/password to be used in the token request are passed to the VNFM in a subscription request. The username/password sent by the VNFM adpater in the subscription request can be configuered using the +following parameter: +vnfmadapter: + auth: +where is ':' encoded using org.onap.so.utils.CryptoUtils with the key set by the paramter: +mso: + key: +The default username:password is vnfm-adapter:123456 when vnfm-adapter.auth is not set. + +--------------- +VNFM simulator: +--------------- +Set the following parameters for the simulator: +spring: + profiles: + active: oauth-authentication +server: + request: + grant: + auth: oauth + +========================================== +To use basic auth for notifications +========================================== +The same username/password is used as for oauth token requests as describe above and passed to the VNFM in the subscription request. \ No newline at end of file diff --git a/so-etsi-sol003-adapter-application/pom.xml b/so-etsi-sol003-adapter-application/pom.xml index 46809d9..3550616 100644 --- a/so-etsi-sol003-adapter-application/pom.xml +++ b/so-etsi-sol003-adapter-application/pom.xml @@ -8,4 +8,79 @@ so-etsi-sol003-adapter-application SO ETSI SOL003 Application Jar + + ${project.artifactId}-${project.version} + + + org.springframework.boot + spring-boot-maven-plugin + + org.onap.so.adapters.etsisol003adapter.Application + + + + + repackage + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + original + + + + + org.jacoco + jacoco-maven-plugin + + + org.apache.maven.plugins + maven-surefire-plugin + + + DEBUG + + 2 + suites + false + 1 + + + + + + src/main/resources + true + + **/*.p12 + **/*.jks + + + + src/main/resources + false + + **/*.p12 + **/*.jks + + + + + + + org.onap.so.adapters.so-etsi-sol003-adapter.lcm + so-etsi-sol003-adapter-lcm-service + ${project.version} + + + org.onap.so.adapters.so-etsi-sol003-adapter.pkgm + so-etsi-sol003-adapter-pkgm-service + ${project.version} + + \ No newline at end of file diff --git a/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/Application.java b/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/Application.java new file mode 100755 index 0000000..261d224 --- /dev/null +++ b/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/Application.java @@ -0,0 +1,57 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2019 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.etsisol003adapter; + +import static org.slf4j.LoggerFactory.getLogger; +import org.onap.so.adapters.etsisol003adapter.lcm.rest.EtsiSol003AdapterController; +import org.slf4j.Logger; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.EnableAutoConfiguration; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration; +import org.springframework.cache.annotation.EnableCaching; + +/** + * The spring boot application for the ETSI SOL003 Adapter. + *

+ * The ETSI SOL003 Adapter receives requests through its REST API {@link EtsiSol003AdapterController} which it adapts + * into ETSI SOL003 compliant LCM (Life Cycle Management) calls towards an ETSI compliant VNFM. + * + * @see ETSI + * SOL003 v2.5.1 + */ +@EnableCaching +@SpringBootApplication(scanBasePackages = {"org.onap.so"}) +@EnableAutoConfiguration(exclude = {JacksonAutoConfiguration.class}) +public class Application { + private static final Logger logger = getLogger(Application.class); + + /** + * Entry point for the Spring boot application + * + * @param args arguments for the application + */ + public static void main(final String[] args) { + new SpringApplication(Application.class).run(args); + logger.info("VnfmAdapterApplication started!"); + } + +} diff --git a/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/EtsiSol003AdapterBasicHttpSecurityConfigurer.java b/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/EtsiSol003AdapterBasicHttpSecurityConfigurer.java new file mode 100644 index 0000000..618b4f6 --- /dev/null +++ b/so-etsi-sol003-adapter-application/src/main/java/org/onap/so/adapters/etsisol003adapter/EtsiSol003AdapterBasicHttpSecurityConfigurer.java @@ -0,0 +1,63 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP - SO + * ================================================================================ + * Copyright (C) 2017 - 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Modifications Copyright (c) 2019 Samsung + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.so.adapters.etsisol003adapter; + +import org.onap.so.adapters.etsi.sol003.adapter.common.CommonConstants; +import org.onap.so.security.HttpSecurityConfigurer; +import org.onap.so.security.SoUserCredentialConfiguration; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Primary; +import org.springframework.http.HttpMethod; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.stereotype.Component; +import org.springframework.util.StringUtils; + +/** + * @author Waqas Ikram (waqas.ikram@est.tech) + * @author Gareth Roper (gareth.roper@est.tech) + */ +@Primary +@Component +public class EtsiSol003AdapterBasicHttpSecurityConfigurer implements HttpSecurityConfigurer { + + @Autowired + private SoUserCredentialConfiguration soUserCredentialConfiguration; + + @Value("${server.ssl.client-auth:none}") + private String clientAuth; + + @Override + public void configure(final HttpSecurity http) throws Exception { + if (("need").equalsIgnoreCase(clientAuth)) { + http.csrf().disable().authorizeRequests().anyRequest().permitAll(); + } else { + http.csrf().disable().authorizeRequests().antMatchers("/manage/health", "/manage/info").permitAll() + .antMatchers(HttpMethod.GET, CommonConstants.ETSI_SUBSCRIPTION_NOTIFICATION_BASE_URL).permitAll() + .antMatchers("/**") + .hasAnyRole(StringUtils.collectionToDelimitedString(soUserCredentialConfiguration.getRoles(), ",")) + .and().httpBasic(); + } + } +} + diff --git a/so-etsi-sol003-adapter-application/src/main/resources/application-aaf.yaml b/so-etsi-sol003-adapter-application/src/main/resources/application-aaf.yaml new file mode 100644 index 0000000..e69de29 diff --git a/so-etsi-sol003-adapter-application/src/main/resources/application-basic.yaml b/so-etsi-sol003-adapter-application/src/main/resources/application-basic.yaml new file mode 100644 index 0000000..e69de29 diff --git a/so-etsi-sol003-adapter-application/src/main/resources/application.yaml b/so-etsi-sol003-adapter-application/src/main/resources/application.yaml new file mode 100644 index 0000000..57dc08f --- /dev/null +++ b/so-etsi-sol003-adapter-application/src/main/resources/application.yaml @@ -0,0 +1,63 @@ +# Copyright © 2019 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +spring: + security: + usercredentials: + - username: test + password: '$2a$12$Zi3AuYcZoZO/gBQyUtST2.F5N6HqcTtaNci2Et.ufsQhski56srIu' + role: BPEL-Client + - username: vnfm + password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' + role: BPEL-Client + http: + converters: + preferred-json-mapper: gson + main: + allow-bean-definition-overriding: true + +server: + port: 9092 + tomcat: + max-threads: 50 + +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 + +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + version: v15 + endpoint: https://aai.onap:8443 + +sdc: + username: sdcUser + password: sdcPassword + key: adadadadad + endpoint: http://sdc.onap/1234A + +vnfmadapter: + endpoint: http://so-vnfm-adapter.onap:9092 + +#Actuator +management: + endpoints: + web: + base-path: /manage + exposure: + include: "*" + metrics: + se-global-registry: false + export: + prometheus: + enabled: true # Whether exporting of metrics to Prometheus is enabled. + step: 1m # Step size (i.e. reporting frequency) to use. diff --git a/so-etsi-sol003-adapter-application/src/main/resources/org.onap.so.trust.jks b/so-etsi-sol003-adapter-application/src/main/resources/org.onap.so.trust.jks new file mode 100644 index 0000000..4605a24 Binary files /dev/null and b/so-etsi-sol003-adapter-application/src/main/resources/org.onap.so.trust.jks differ diff --git a/so-etsi-sol003-adapter-application/src/main/resources/so-vnfm-adapter.p12 b/so-etsi-sol003-adapter-application/src/main/resources/so-vnfm-adapter.p12 new file mode 100644 index 0000000..6bd786d Binary files /dev/null and b/so-etsi-sol003-adapter-application/src/main/resources/so-vnfm-adapter.p12 differ -- cgit 1.2.3-korg