From 61607b8e66f19aba46d0c0f7cec3a9fe2c6e1e08 Mon Sep 17 00:00:00 2001
From: "mark.j.leonard" <mark.j.leonard@gmail.com>
Date: Fri, 29 Mar 2019 16:29:44 +0000
Subject: [PATCH] Move REQUIRE_CLIENT_AUTH code to start script

Move the conversion from the REQUIRE_CLIENT_AUTH env variable to the
Spring setting server.ssl.client-auth out of the Java code and in to the
start script. This declutters the code and exposes this setting.

Refactor the code for readability: have Jetty deobfuscate the password
string for us rather than manually detecting the "OBF:" prefix.

Also fix a typo (spelling mistake).

Change-Id: Ic670c04f97f59e06e48ca2cf4d7a0188020b3eaa
Issue-ID: AAI-2280
Signed-off-by: mark.j.leonard <mark.j.leonard@gmail.com>
---
 src/main/bin/start.sh                              |  4 ++++
 .../java/org/onap/aai/babel/BabelApplication.java  | 23 +++++++++-------------
 .../org/onap/aai/babel/request/RequestHeaders.java |  7 ++++---
 src/main/resources/application.properties          |  1 +
 .../java/org/onap/aai/babel/TestApplication.java   | 14 +++++++++++++
 5 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/src/main/bin/start.sh b/src/main/bin/start.sh
index 3121c8e..8c4cdf5 100644
--- a/src/main/bin/start.sh
+++ b/src/main/bin/start.sh
@@ -35,6 +35,10 @@ PROPS="-DAPP_HOME=${APP_HOME}"
 PROPS="${PROPS} -DCONFIG_HOME=${CONFIG_HOME}"
 PROPS="${PROPS} -Dtosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json"
 PROPS="${PROPS} -DKEY_STORE_PASSWORD=${KEY_STORE_PASSWORD}"
+if [ ! -z "$REQUIRE_CLIENT_AUTH" ]; then
+   PROPS="$PROPS -Dserver.ssl.client-auth=${REQUIRE_CLIENT_AUTH}"
+fi
+
 JVM_MAX_HEAP=${MAX_HEAP:-1024}
 
 exec java -Xmx${JVM_MAX_HEAP}m ${PROPS} -jar ${APP_HOME}/babel.jar
diff --git a/src/main/java/org/onap/aai/babel/BabelApplication.java b/src/main/java/org/onap/aai/babel/BabelApplication.java
index 9eaa0ce..e524e6e 100644
--- a/src/main/java/org/onap/aai/babel/BabelApplication.java
+++ b/src/main/java/org/onap/aai/babel/BabelApplication.java
@@ -21,7 +21,7 @@
 
 package org.onap.aai.babel;
 
-import java.util.HashMap;
+import com.google.common.collect.ImmutableMap;
 import org.eclipse.jetty.util.security.Password;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -38,26 +38,21 @@ public class BabelApplication extends SpringBootServletInitializer {
 
     /**
      * Spring Boot Initialization.
-     * 
+     *
      * @param args
-     *            main args
+     *            main args (expected to be null)
      */
     public static void main(String[] args) {
         String keyStorePassword = System.getProperty("KEY_STORE_PASSWORD");
         if (keyStorePassword == null || keyStorePassword.isEmpty()) {
-            throw new IllegalArgumentException("Env property KEY_STORE_PASSWORD not set");
+            throw new IllegalArgumentException("Mandatory property KEY_STORE_PASSWORD not set");
         }
-        HashMap<String, Object> props = new HashMap<>();
-        String decryptedValue = keyStorePassword.startsWith(Password.__OBFUSCATE) ? //
-                Password.deobfuscate(keyStorePassword) : keyStorePassword;
-        props.put("server.ssl.key-store-password", decryptedValue);
+        ImmutableMap<String, Object> defaults =
+                ImmutableMap.of("server.ssl.key-store-password", new Password(keyStorePassword).toString());
 
-        String requireClientAuth = System.getenv("REQUIRE_CLIENT_AUTH");
-        props.put("server.ssl.client-auth",
-                Boolean.FALSE.toString().equalsIgnoreCase(requireClientAuth) ? "want" : "need");
-
-        context = new BabelApplication()
-                .configure(new SpringApplicationBuilder(BabelApplication.class).properties(props)).run(args);
+        context = new BabelApplication() //
+                .configure(new SpringApplicationBuilder(BabelApplication.class).properties(defaults)) //
+                .run(args);
     }
 
     public static void exit() {
diff --git a/src/main/java/org/onap/aai/babel/request/RequestHeaders.java b/src/main/java/org/onap/aai/babel/request/RequestHeaders.java
index f0d960c..1850d62 100644
--- a/src/main/java/org/onap/aai/babel/request/RequestHeaders.java
+++ b/src/main/java/org/onap/aai/babel/request/RequestHeaders.java
@@ -2,8 +2,8 @@
  * ============LICENSE_START=======================================================
  * org.onap.aai
  * ================================================================================
- * Copyright Â© 2017-2018 AT&T Intellectual Property. All rights reserved.
- * Copyright Â© 2017-2018 European Software Marketing Ltd.
+ * Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved.
+ * Copyright (c) 2017-2019 European Software Marketing Ltd.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
  * limitations under the License.
  * ============LICENSE_END=========================================================
  */
+
 package org.onap.aai.babel.request;
 
 import java.util.Optional;
@@ -62,7 +63,7 @@ public class RequestHeaders {
      * If the correlation ID contains the symbol : then this character and any trailing characters are removed. This
      * allows for an incrementing numeric sequence where there are multiple HTTP requests for a single transaction.
      *
-     * @return the normalsed UUID used for correlating transactions across components, or else null (if no ID is set)
+     * @return the normalized UUID used for correlating transactions across components, or else null (if no ID is set)
      */
     public String getCorrelationId() {
         // If the request ID is missing, use the transaction ID (if present)
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index b845b8f..187826a 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,5 +1,6 @@
 server.port=9516
 server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.client-auth=need
 
 server.contextPath=/services/babel-service
 
diff --git a/src/test/java/org/onap/aai/babel/TestApplication.java b/src/test/java/org/onap/aai/babel/TestApplication.java
index 8c9ca5e..bb43b40 100644
--- a/src/test/java/org/onap/aai/babel/TestApplication.java
+++ b/src/test/java/org/onap/aai/babel/TestApplication.java
@@ -93,6 +93,20 @@ public class TestApplication {
         BabelApplication.main(new String[] {});
     }
 
+    /**
+     * This test asserts that if the KEY_STORE_PASSWORD System Property is set (and is not empty) then the value is
+     * passed to Jetty, debobfuscated, and used to open the key store, even if the resulting password value is actually
+     * an empty string.
+     */
+    @Test
+    public void testApplicationWithBlankObfuscatedKeyStorePassword() {
+        // Note that "OBF:" is correctly deobfuscated and results in an empty string.
+        System.setProperty("KEY_STORE_PASSWORD", "OBF:");
+        final CauseMatcher expectedCause = new CauseMatcher(IOException.class, "password was incorrect");
+        expectedEx.expectCause(expectedCause);
+        BabelApplication.main(new String[] {});
+    }
+
     private static class CauseMatcher extends TypeSafeMatcher<Throwable> {
 
         private final Class<? extends Throwable> type;
-- 
2.16.6