From f07fc1a586328d2b4cef02bd1d8f9e791130bf1b Mon Sep 17 00:00:00 2001 From: tgolabek Date: Wed, 23 May 2018 11:40:17 +0200 Subject: Refactor of an AAIRestInterface Refactor and some additional tests added (cherry picked from commit 6d8fa7d179b8de802ae386b317ddd1214eac1c47) Change-Id: Ibe7583353499352aa81d100b9995b9c74133c447 Issue-ID: VID-229 Signed-off-by: Stern, Ittay (is9613) [Added proper headers to modified and created files] Signed-off-by: golabek --- .../org/onap/vid/aai/util/HttpsAuthClient.java | 153 ++++++++------------- 1 file changed, 54 insertions(+), 99 deletions(-) (limited to 'vid-app-common/src/main/java/org/onap/vid/aai/util/HttpsAuthClient.java') diff --git a/vid-app-common/src/main/java/org/onap/vid/aai/util/HttpsAuthClient.java b/vid-app-common/src/main/java/org/onap/vid/aai/util/HttpsAuthClient.java index f1eafe42a..15f81439b 100644 --- a/vid-app-common/src/main/java/org/onap/vid/aai/util/HttpsAuthClient.java +++ b/vid-app-common/src/main/java/org/onap/vid/aai/util/HttpsAuthClient.java @@ -3,6 +3,7 @@ * VID * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (C) 2018 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,30 +22,35 @@ package org.onap.vid.aai.util; -import org.eclipse.jetty.util.security.Password; import org.glassfish.jersey.client.ClientConfig; -import org.glassfish.jersey.client.ClientProperties; import org.glassfish.jersey.client.HttpUrlConnectorProvider; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.onap.portalsdk.core.util.SystemProperties; +import org.onap.vid.aai.exceptions.HttpClientBuilderException; -import javax.net.ssl.*; +import javax.net.ssl.HttpsURLConnection; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; -import java.io.FileInputStream; import java.io.IOException; -import java.security.*; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; +import java.nio.file.FileSystems; +import java.security.GeneralSecurityException; + +import static org.onap.vid.aai.util.HttpClientMode.WITH_KEYSTORE; /** * The Class HttpsAuthClient. */ public class HttpsAuthClient { + private static final String SSL_TRUST_STORE = "javax.net.ssl.trustStore"; + private static final String SSL_TRUST_STORE_PASS_WORD = "javax.net.ssl.trustStorePassword"; + + private final SystemPropertyHelper systemPropertyHelper; + private final SSLContextProvider sslContextProvider; - public HttpsAuthClient(String certFilePath) { + public HttpsAuthClient(String certFilePath, SystemPropertyHelper systemPropertyHelper, SSLContextProvider sslContextProvider) { this.certFilePath = certFilePath; + this.systemPropertyHelper = systemPropertyHelper; + this.sslContextProvider = sslContextProvider; } private final String certFilePath; @@ -52,62 +58,24 @@ public class HttpsAuthClient { /** The logger. */ static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(HttpsAuthClient.class); + /** * Gets the client. * * @return the client - * @throws KeyManagementException the key management exception */ public Client getClient(HttpClientMode mode) throws GeneralSecurityException, IOException { - ClientConfig config = new ClientConfig(); - SSLContext ctx; + ClientConfig config = prepareClientConfig(mode); try { - String truststorePath = getCertificatesPath() + org.onap.vid.aai.util.AAIProperties.FILESEPARTOR + SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_TRUSTSTORE_FILENAME); - String truststorePassword = SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_TRUSTSTORE_PASSWD_X); - String decryptedTruststorePassword = Password.deobfuscate(truststorePassword); - - System.setProperty("javax.net.ssl.trustStore", truststorePath); - System.setProperty("javax.net.ssl.trustStorePassword", decryptedTruststorePassword); - - HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { - public boolean verify(String string, SSLSession ssls) { - return true; - } - }); - ctx = SSLContext.getInstance("TLSv1.2"); - KeyManager[] keyManagers = null; - TrustManager[] trustManagers = getTrustManager(mode); - - switch (mode) { - case WITH_KEYSTORE: - String aaiKeystorePath = getCertificatesPath() + org.onap.vid.aai.util.AAIProperties.FILESEPARTOR + SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_KEYSTORE_FILENAME); - String aaiKeystorePassword = SystemProperties.getProperty(org.onap.vid.aai.util.AAIProperties.AAI_KEYSTORE_PASSWD_X); - config.property(HttpUrlConnectorProvider.SET_METHOD_WORKAROUND, Boolean.TRUE); - config.connectorProvider(new HttpUrlConnectorProvider().useSetMethodWorkaround()); - KeyManagerFactory kmf = getKeyManagerFactory(aaiKeystorePath, aaiKeystorePassword); - keyManagers = kmf.getKeyManagers(); - break; - - case WITHOUT_KEYSTORE: - config.property(ClientProperties.SUPPRESS_HTTP_COMPLIANCE_VALIDATION, true); - break; - - default: - logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up config. HttpClientMode is " + mode); - } - - ctx.init(keyManagers, trustManagers, null); - return ClientBuilder.newBuilder() - .sslContext(ctx) - .hostnameVerifier(new HostnameVerifier() { - @Override - public boolean verify(String s, SSLSession sslSession) { - return true; - } - }).withConfig(config) - .build() - .register(org.onap.vid.aai.util.CustomJacksonJaxBJsonProvider.class); + setSystemProperties(); + + ignoreHostname(); + + return systemPropertyHelper.isClientCertEnabled() ? + getTrustedClient(config, getKeystorePath(), systemPropertyHelper.getDecryptedKeystorePassword(), mode) + : getUntrustedClient(config); + } catch (Exception e) { logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up config", e); throw e; @@ -115,57 +83,44 @@ public class HttpsAuthClient { } - /** - * @param aaiKeystorePath - * @param aaiKeystorePassword - in OBF format - * @return - * @throws NoSuchAlgorithmException - * @throws KeyStoreException - * @throws IOException - * @throws CertificateException - * @throws UnrecoverableKeyException - */ - private KeyManagerFactory getKeyManagerFactory(String aaiKeystorePath, String aaiKeystorePassword) throws IOException, GeneralSecurityException { - String aaiDecryptedKeystorePassword = Password.deobfuscate(aaiKeystorePassword); - KeyManagerFactory kmf = null; - try (FileInputStream fin = new FileInputStream(aaiKeystorePath)) { - kmf = KeyManagerFactory.getInstance("SunX509"); - KeyStore ks = KeyStore.getInstance("PKCS12"); - char[] pwd = aaiDecryptedKeystorePassword.toCharArray(); - ks.load(fin, pwd); - kmf.init(ks, pwd); - } catch (Exception e) { - logger.debug(EELFLoggerDelegate.debugLogger, "Error setting up kmf"); - logger.error(EELFLoggerDelegate.errorLogger, "Error setting up kmf (keystore path: {}, obfuascated keystore password: {})", aaiKeystorePath, aaiKeystorePassword, e); - throw e; - } - return kmf; + private void ignoreHostname() { + HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); } - private String getCertificatesPath() { - return certFilePath; + private Client getUntrustedClient(ClientConfig config) { + return ClientBuilder.newBuilder().withConfig(config).build().register(CustomJacksonJaxBJsonProvider.class); } - private TrustManager[] getTrustManager(HttpClientMode httpClientMode) { - //Creating a trustManager that will accept all certificates. - //TODO - remove this one the POMBA certificate is added to the tomcat_keystore file - TrustManager[] trustAllCerts = null; - if (httpClientMode == HttpClientMode.UNSECURE) { + private Client getTrustedClient(ClientConfig config, String keystorePath, String keystorePassword, HttpClientMode httpClientMode) throws HttpClientBuilderException { + return ClientBuilder.newBuilder() + .sslContext(sslContextProvider.getSslContext(keystorePath, keystorePassword, httpClientMode)) + .hostnameVerifier((s, sslSession) -> true) + .withConfig(config) + .build() + .register(CustomJacksonJaxBJsonProvider.class); + } - trustAllCerts = new TrustManager[]{new X509TrustManager() { - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return null; - } + private String getKeystorePath() { + return getCertificatesPath() + FileSystems.getDefault().getSeparator() + systemPropertyHelper.getAAIKeystoreFilename(); + } - public void checkClientTrusted(X509Certificate[] certs, String authType) { - } + private void setSystemProperties() { + System.setProperty(SSL_TRUST_STORE, getCertificatesPath() + FileSystems.getDefault().getSeparator() + + systemPropertyHelper.getAAITruststoreFilename().orElse("")); + System.setProperty(SSL_TRUST_STORE_PASS_WORD, systemPropertyHelper.getDecryptedTruststorePassword()); + } - public void checkServerTrusted(X509Certificate[] certs, String authType) { - } - }}; + private ClientConfig prepareClientConfig(HttpClientMode mode) { + ClientConfig config = new ClientConfig(); + if (mode.equals(WITH_KEYSTORE)) { + config.property(HttpUrlConnectorProvider.SET_METHOD_WORKAROUND, Boolean.TRUE); + config.connectorProvider(new HttpUrlConnectorProvider().useSetMethodWorkaround()); } - return trustAllCerts; + return config; } + private String getCertificatesPath() { + return certFilePath; + } } -- cgit 1.2.3-korg