Address weak crypto issues

author Dan Timoney <dtimoney@att.com>

Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)

committer Dan Timoney <dtimoney@att.com>

Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)
author Dan Timoney <dtimoney@att.com>
Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)
committer Dan Timoney <dtimoney@att.com>
Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)
diff --git a/ms/neng/pom.xml b/ms/neng/pom.xml

index e2d8aef..ef3f5a5 100644 (file)
--- a/ms/neng/pom.xml
+++ b/ms/neng/pom.xml
@@ -350,6 +350,11 @@
              <artifactId>jest</artifactId>
              <version>5.3.3</version>
          </dependency>
+        <dependency>
+            <groupId>org.onap.ccsdk.sli.core</groupId>
+            <artifactId>utils-provider</artifactId>
+            <version>${ccsdk.sli.version}</version>
+        </dependency>
      </dependencies>
  
      <build>
diff --git a/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java b/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java

index d577dc4..3351033 100644 (file)
--- a/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java
+++ b/ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java
@@ -46,6 +46,7 @@ import org.onap.ccsdk.apps.ms.neng.core.resource.model.GetConfigRequestV2;
  import org.onap.ccsdk.apps.ms.neng.core.resource.model.GetConfigResponse;
  import org.onap.ccsdk.apps.ms.neng.core.rs.interceptors.PolicyManagerAuthorizationInterceptor;
  import org.onap.ccsdk.apps.ms.neng.extinf.props.PolicyManagerProps;
+import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.beans.factory.annotation.Qualifier;
  import org.springframework.boot.web.client.RestTemplateBuilder;
@@ -233,7 +234,7 @@ public class PolicyFinderServiceImpl implements PolicyFinder {
          TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
          SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                          .loadTrustMaterial(null, acceptingTrustStrategy).build();
-        HostnameVerifier verifier = (String arg0, SSLSession arg1) -> true;
+        HostnameVerifier verifier = new AcceptIpAddressHostNameVerifier();
          SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, verifier);
          CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
          HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
diff --git a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java

index bd0abe6..80c42fb 100644 (file)
--- a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java
+++ b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  import org.springframework.security.config.http.SessionCreationPolicy;\r
  import org.springframework.security.core.userdetails.User;\r
  import org.springframework.security.core.userdetails.UserDetails;\r
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\r
  import org.springframework.security.crypto.factory.PasswordEncoderFactories;\r
  import org.springframework.security.crypto.password.PasswordEncoder;\r
  import org.springframework.security.provisioning.InMemoryUserDetailsManager;\r
@@ -51,7 +52,8 @@ public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter{
         protected void configure(AuthenticationManagerBuilder auth) throws Exception {\r
                 List<UserDetails> userDetails = new ArrayList<>();\r
                 \r
-               PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();\r
+               // Explicitly set bcrypt password encoder rather than using default\r
+               PasswordEncoder encoder = new BCryptPasswordEncoder();\r
         final User.UserBuilder userBuilder = User.builder().passwordEncoder(encoder::encode);\r
  \r
                 String authString = environment.getProperty("application.authToken");\r
author	Dan Timoney <dtimoney@att.com>
	Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)
committer	Dan Timoney <dtimoney@att.com>
	Thu, 29 Jul 2021 15:11:15 +0000 (11:11 -0400)
ms/neng/pom.xml		patch \| blob \| history
ms/neng/src/main/java/org/onap/ccsdk/apps/ms/neng/service/extinf/impl/PolicyFinderServiceImpl.java		patch \| blob \| history
ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java		patch \| blob \| history