From da0eb22129cb541bcb705f564c546089654acea3 Mon Sep 17 00:00:00 2001 From: sebdet Date: Mon, 8 Feb 2021 14:36:11 +0100 Subject: [PATCH] Remove test usage of the AAF certificate Fix the broken build by removing the need of the useless certificate, a new one is now generate during the build for the tests. Issue-ID: POLICY-3036 Signed-off-by: sebdet Change-Id: I11c2ff5aac8a99c7a2b7e676d6c11bbc861a1de4 Signed-off-by: sebdet (cherry picked from commit d2178bc9f7d6c06f60a3a8afecd83e428d84cd78) --- README.md | 7 +- pom.xml | 40 +++++++ .../onap/policy/clamp/clds/config/SslConfig.java | 11 +- src/main/resources/application-noaaf.properties | 2 +- src/main/resources/application.properties | 2 +- src/main/resources/clds/aaf/org.onap.clamp.p12 | Bin 4155 -> 0 bytes .../org/onap/policy/clamp/clds/it/HttpsItCase.java | 115 ++++++--------------- src/test/resources/https/https-test.properties | 2 +- 8 files changed, 88 insertions(+), 91 deletions(-) delete mode 100644 src/main/resources/clds/aaf/org.onap.clamp.p12 diff --git a/README.md b/README.md index 031c0e8ef..ba194ec33 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,12 @@ With the default log settings, all logs will be generated into console and into You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/openapi.json` -## Clamp AAF - Renew Certificates +## Clamp AAF - Renew Certificates +This is not required anymore as in OOM the certificate are generated automatically. +A certificate is automatically generated during the "build" and it overwrites the p12 located in the +resource clds/aaf/org.onap.clamp.p12. + + - Connect to windriver with openvpn - create a folder aaf-renewal and go to it - create a file aaf.props with that content (or run the agent.sh script below, it will prompt you for values at first run) diff --git a/pom.xml b/pom.xml index 6125e686d..92caece96 100644 --- a/pom.xml +++ b/pom.xml @@ -1266,6 +1266,46 @@ + + + org.codehaus.mojo + keytool-maven-plugin + 1.5 + + + add-certificate-for-dev + + ${project.build.directory}/classes/clds/aaf/org.onap.clamp.p12 + China in the Spring + clamptest + PKCS12 + RSA + cn=CN, ou=OU, o=O, c=C + 365 + + + generateKeyPair + + generate-resources + + + add-certificate-for-test + + ${project.build.directory}/test-classes/clds/aaf/org.onap.clamp.p12 + China in the Spring + clamptest + PKCS12 + RSA + cn=CN, ou=OU, o=O, c=C + 365 + + + generateKeyPair + + generate-test-resources + + + diff --git a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java index 329cb4bed..a72cffd09 100644 --- a/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java +++ b/src/main/java/org/onap/policy/clamp/clds/config/SslConfig.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP CLAMP * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights + * Copyright (C) 2019, 2021 AT&T Intellectual Property. All rights * reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -74,6 +74,7 @@ public class SslConfig { password.toCharArray()); return truststore; } + }); } @@ -83,9 +84,13 @@ public class SslConfig { return (tomcat) -> tomcat.setSsl(new Ssl() { @Override public String getKeyPassword() { - String password = PassDecoder.decode(env.getProperty("server.ssl.key-password"), + return PassDecoder.decode(env.getProperty("server.ssl.key-password"), env.getProperty("clamp.config.keyFile")); - return password; + } + + @Override + public String getKeyAlias() { + return env.getProperty("server.ssl.key-alias"); } }); } diff --git a/src/main/resources/application-noaaf.properties b/src/main/resources/application-noaaf.properties index 6b28cf7ef..ba838adb8 100644 --- a/src/main/resources/application-noaaf.properties +++ b/src/main/resources/application-noaaf.properties @@ -53,7 +53,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest ## Config part for Client certificates server.ssl.client-auth=want diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1b5a26d0a..7d2d4ef1b 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -58,7 +58,7 @@ server.ssl.key-store=classpath:/clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted diff --git a/src/main/resources/clds/aaf/org.onap.clamp.p12 b/src/main/resources/clds/aaf/org.onap.clamp.p12 deleted file mode 100644 index 268aa1a3ce56e01448f8043cc0b05b5fceb5a47d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4155 zcmY+EXE+=H)`e#nMu|2C(OdL3dM`0i!sw%mE_w}us6#Laq6N`K?=@PKNJI_Mi8gu{ zC2FwQefHb^_Q!qhdERr+{dr(0QgJLGHVj4b3m2a|QZ@2|2nYt|p-3ZDlR%42CWi9MPFB76kXVwimOfWW$od$rt{f2R;K(Kn} zrETKt*?Il_FopsLPHF|X55jfv@f@9Lrjq3VS+|R%=7S=T{$LQx5N1mNebOIuf_}bT z`DD;D?=nF3$hHAz_o2G7>N`A%`rHOFXp06*Mb7A4l_~+OKTL5Vh3l0oRiL>0;1`;7 zZW2q+#;l{oMd_K53n831?$ZGl`2)c+!wQ^(mVpFgqhvB`-@Z?;#nvzvZz7RB%?Z$N zMLSCqtO|g=afnOq2vk%h36(LHZ`&t*`;);=IU~EJ6~%vuv%RcNy%;pzv9HM1r+)aF zmc6HEj#Uu}rR98Cv8R?2@`^`BOd$D}4LZ(NJ?JCM~Np(Y?(v$Ck0SNp9(>6D3Na`fGilWHy4Q3_Ng_Iz3W{&Z(i9g=If`%)(*Z3p4` zWRK$T=CXX2t%tQs&zH|M1pkk&WPYz{^L*!KmU1DgZC9#De+QD|Bb&2Vs9miCWzsE1 z(Dye^vIUgAc_21!zw&!{5$~{=&zyFmj_}c(YP%|`MW=s=q;M8U9hgM_Y5c@xN35!v zr%uY7?$fI&PGyXRN0fOdc6LIV4|Wa-ny^^-MJfvpX3mgyNG~KPU`1bQPRI6%T&5S34Hc0FGiu(+mo1IZQ`>Ku-jC-?b$Xzxb_f z_=RAqc}@^PvGFUUCEk-K>6d2axfF&2mAo44B#3TRdooUOwoL!x`YrsM>}v8cnSU&k zpAiJDqxP{W#Qt8>nD0vZjkeLIvc`KL>rmv8(`Q=v5`ADnZXbc1IU^*r@a_huPCUy$ zh#w0_$tT8rK1CAyeVDG3R~}W(>;;3-m4L1bgU1F-Rq1NbAJm+2md?|QRCvUuIxn4I zRYc>$2SJrOQ)O33k}j;h-*ioU~cpchWp3%f(y{@VP?6n1A7P?Ur!%@*Ox!{my{6S)r7zg zd;U#?M=#Hb*jZV6QL=yLY={ld5q|nhb6UtWR%8SvEvZjO+XPZdSU($meiU#Z$A!1Dv|oG<9l#VS3^U0KAfOXA5X6dW`A-i&Em{&znPPZ+LV{7AU@GgJz0yFv1ax-uOYyd6*D}XD&1EBE#G(W%{;P#h$0RE}G0QNBE{{|@pp&$s-(bbMgP*egY zAtVVC6BQAcgrNu!|2YEV=Aj5={~}2&AmHy3`mY20pZ3N5XZuc=vF6?KCdWx%Q6M;_ zGw6z352?o&pk?9$Nfb5J0ER}isBZP?%`h_NtT%!Si|;7nWZDdoe5WZ~?D+$^CX7;Y79TUndEpnT|Bfuh2jg1t}(xk>=D8@?4L`&o46mfxq4rqN$7 z6RuYvXLhK&$IVj;*HBV_g~NZKDF+~V zzMss+)hs@^%f}e3r`6R_HXjy}`y-SxaUBulQf<%0cj64qQ8dfkevptUL9Y2DRQT-K zy_B~0BxhMR!{{BKSO2he`@9=`J2l}krs~OFoj=MuVEOg!ZL-UH7bP#lWvs+fp($Uv z#*@-pnZyadOgG}CTF!Iy{8|{3x$1J0+j{h$gS7-T%|e;5_Ca1vL-wfNYZ<7@>v1sR z+MB=h$MzjTw|eb;pYIw+jqVswvcAFJzkerTVuF>^)T<)!#q#GVYsOv*{kj6>-y-sP zdX`|5-dGuweHXb*?6tzELr2mW5|1eDDVx3?EJa0UbeA8P6+jeu?d@UGz0%d#K zlLo5bgXiz+ox?4-TxL9s7o>4D;gELm)hL|z%GVha;_QQtjLJf|u_NgmXDZ%|!amVX zQ_qO{mga5`N$&SfwtBNpgR>lSGaRnXUg+{o8~UK!Kzr%vlBdV|-r854CcpHxg3shV za!?l1pklKHgkVgClRBBOs8EiQUx{t|=%68L_2rp{O+fA%*P&)>+r-bXi$!cowxE&3 z`$;D~VWSxEXJDt#!td|#V(^xxxYk<)WN{3yQ!pt;<)y_G_;?6ao=OFU?s)B{tqq`fB#zhK)&g zCs%#wm!aZxxg&Yj<%MSBgQPJuf8_+Ws6@G0L* zOfbzW5xpxiG15C*70^JypnbJ}Sk1FkG_i?)k%eEzflzi`^%O#)IbrinGtLPA7D=4U zKO4ah-EPbQrE06i5q^2iBInp(eq9|#6r9_6iuvnF&~24$h_e2onkU)gPog9uRiZ&A z+y*XjJ}LA^F}Jnq5()`Fw=?Xmc*G6vvzS%9?EMDVR;h50*G(ZLo5p;3%?Zz!ljU95 z9vGF)C`OPvu+e<>^g4OgkvI>0x0hQ;h zbJRs=Yx=w;?Wfrvu4t9Z+!XnFw0+J{}$lRtdqw@(@NXmtoZyjN4$N(kYETbG{VoiSt2 zEbW*+&C>?(|I}>(qL-mTcrsrLGAz@87e+Ll9aGb}6cYzzB@p|@gH(;uwr)~l(Hv4t zW(9R5#~5d-ye?_Yu2z;H`D|pgVqkc7>&U4ORSDO*9+2#DBB6Yw?$n*f@f021caPR+ za=T!~Rc@@KPH_u3*8B2%w?;mtMqf)jH!(hL_rnGk5r?Y0@SpE2n&*mn=p5C?ot~k7 zAj=7yM2O1oh~C;ljW#FQ6+EV2XofKHtbq?*dNvD$LQ|e&@`rEAUTc6AUml@F)>rke zk_X_$6b=WjPnmnSSNNP$G5gE?X==Tnds4&=6pa)>-++_NZOC&G2UaRQsqD%4!#37! zq!^XKqiy~AI5q!D?dd63vP~tL4*C+uEcb!X{`j{*7Iy1c{OAF&pljaA$0#GEQej+c@=X^Al zD1)AMHKZ9~tV(Un_swwA+>d9on~zI*QU#3`1cJCH36XjslgP+7aSc2kGDb}%*>S8l ztsgSdkGwc$&%1-6pLk2JUQyJpz>CBwi*~7$`@_##qNKKN9C7&ALg#irm`k9C=jTtC zY!1mI?E3OeZ+O7m;+Q*{xBfRqH3M_+Wmho=iq1pF-Gjx`<-ITmrq$#ZPax+cjt|YE zHVZYfvmJVWcrp;Scvp5jh*5V(ydlnM@VB~5RqjA>TKd9Nk~p3R06vcyq>{GUk0)0~ zHJfZA^N`YqLNr9*6RY)1sw$-V*q@X-Ng5gvsPw;mid&8Zr$R)9W6!Z+8C!m0Y}?#r z2!G~vJvF4(iWd!Y*2+a-6HE@q48zC8;UUJxqQL=xpgD_cJVqZqLv)1?1puac3oEZF hn?ca4pvmKu&q&eRm;yzY_gZH*IK=O entity = template.getForEntity("http://localhost:" + this.httpPort + "/swagger.html", - String.class); + ResponseEntity entity = + new RestTemplate().getForEntity("http://localhost:" + this.httpPort + "/swagger.html", + String.class); assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FOUND); - ResponseEntity httpsEntity = template + ResponseEntity httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/swagger.html", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("Clamp Rest API"); @@ -118,16 +80,7 @@ public class HttpsItCase { @Test public void testSwaggerJson() throws Exception { - RestTemplate template = new RestTemplate(); - final MySimpleClientHttpRequestFactory factory = new MySimpleClientHttpRequestFactory(new HostnameVerifier() { - - @Override - public boolean verify(final String hostname, final SSLSession session) { - return true; - } - }); - template.setRequestFactory(factory); - ResponseEntity httpsEntity = template + ResponseEntity httpsEntity = getRestTemplate() .getForEntity("https://localhost:" + this.httpsPort + "/restservices/clds/api-doc", String.class); assertThat(httpsEntity.getStatusCode()).isEqualTo(HttpStatus.OK); assertThat(httpsEntity.getBody()).contains("swagger"); @@ -135,25 +88,19 @@ public class HttpsItCase { Charset.defaultCharset()); } - /** - * Http Request Factory for ignoring SSL hostname errors. Not for production - * use! - */ - class MySimpleClientHttpRequestFactory extends SimpleClientHttpRequestFactory { - - private final HostnameVerifier verifier; - - public MySimpleClientHttpRequestFactory(final HostnameVerifier verifier) { - this.verifier = verifier; - } - - @Override - protected void prepareConnection(final HttpURLConnection connection, final String httpMethod) - throws IOException { - if (connection instanceof HttpsURLConnection) { - ((HttpsURLConnection) connection).setHostnameVerifier(this.verifier); - } - super.prepareConnection(connection, httpMethod); - } + private RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException { + SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom() + .loadTrustMaterial(null, new TrustStrategy() { + @Override + public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { + return true; + } + }).build(); + SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier()); + CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build(); + HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); + requestFactory.setHttpClient(httpClient); + RestTemplate restTemplate = new RestTemplate(requestFactory); + return restTemplate; } } diff --git a/src/test/resources/https/https-test.properties b/src/test/resources/https/https-test.properties index 86e444efe..aeae64036 100644 --- a/src/test/resources/https/https-test.properties +++ b/src/test/resources/https/https-test.properties @@ -31,7 +31,7 @@ server.ssl.key-store=classpath:clds/aaf/org.onap.clamp.p12 server.ssl.key-store-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-password=enc:WWCxchk4WGBNSvuzLq3MLjMs5ObRybJtts5AI0XD1Vc server.ssl.key-store-type=PKCS12 -server.ssl.key-alias=clamp@clamp.onap.org +server.ssl.key-alias=clamptest # The key file used to decode the key store and trust store password # If not defined, the key store and trust store password will not be decrypted -- 2.16.6