*/
package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.vnfm;
-import com.google.common.base.Joiner;
-import com.google.common.io.BaseEncoding;
-import org.apache.http.conn.ssl.DefaultHostnameVerifier;
-import org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.StoreLoader;
-import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
-import org.springframework.util.StringUtils;
-
-import javax.net.ssl.*;
-import java.nio.charset.StandardCharsets;
-import java.security.KeyStore;
-import java.security.SecureRandom;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Set;
-
-import static java.util.UUID.randomUUID;
-import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.buildFatalFailure;
-import static org.slf4j.LoggerFactory.getLogger;
/**
- * Responsible for providing a token to access CBAM APIs
+ * Responsible for providing SSL factories for AAI
*/
@Component
-public class CbamSecurityProvider {
- private static Logger logger = getLogger(CbamSecurityProvider.class);
+public class CbamSecurityProvider extends GenericSecurityProvider {
@Value("${trustedCertificates}")
private String trustedCertificates;
@Value("${skipCertificateVerification}")
@Value("${skipHostnameVerification}")
private boolean skipHostnameVerification;
- protected HostnameVerifier buildHostnameVerifier() {
- if (skipHostnameVerification) {
- return (hostname, session) -> true;
- } else {
- return new DefaultHostnameVerifier();
- }
+ @Override
+ protected boolean skipHostnameVerification() {
+ return skipHostnameVerification;
}
- protected SSLSocketFactory buildSSLSocketFactory() {
- try {
- TrustManager[] trustManagers = new X509TrustManager[]{buildTrustManager()};
- SSLContext sslContext = SSLContext.getInstance("TLS");
- sslContext.init(null, trustManagers, new SecureRandom());
- return sslContext.getSocketFactory();
- } catch (Exception e) {
- throw buildFatalFailure(logger, "Unable to create SSL socket factory", e);
- }
+ @Override
+ protected boolean skipCertificateVerification() {
+ return skipCertificateVerification;
}
- protected X509TrustManager buildTrustManager() {
- if (skipCertificateVerification) {
- return new AllTrustedTrustManager();
- } else {
- if (StringUtils.isEmpty(trustedCertificates)) {
- throw buildFatalFailure(logger, "If the skipCertificateVerification is set to false (default) the trustedCertificates can not be empty");
- }
- Set<String> trustedPems;
- String content;
- try {
- content = new String(BaseEncoding.base64().decode(trustedCertificates), StandardCharsets.UTF_8);
- trustedPems = StoreLoader.getCertifacates(content);
- } catch (Exception e) {
- throw buildFatalFailure(logger, "The trustedCertificates must be a base64 encoded collection of PEM certificates", e);
- }
- if (trustedPems.isEmpty()) {
- throw buildFatalFailure(logger, "No certificate can be extracted from " + content);
- }
- try {
- KeyStore keyStore = StoreLoader.loadStore(Joiner.on("\n").join(trustedPems), randomUUID().toString(), randomUUID().toString());
- TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- trustManagerFactory.init(keyStore);
- return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
- } catch (Exception e) {
- throw buildFatalFailure(logger, "Unable to create keystore", e);
- }
- }
+ @Override
+ protected String trustedCertificates() {
+ return trustedCertificates;
}
-
- private static class AllTrustedTrustManager implements X509TrustManager {
- @Override
- public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
- //no need to check certificates if everything is trusted
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
- //no need to check certificates if everything is trusted
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
- }
-
}