From fdaafe26bd0dba6fa825e22f16b9819ca2771bec Mon Sep 17 00:00:00 2001 From: dglFromAtt Date: Fri, 6 Mar 2020 13:49:02 -0500 Subject: [PATCH] Use dynamic certificates New property indicates to use cadi properties file. Use Cadi library to access the properties, esp the pwd Issue-ID: DMAAP-1401 Signed-off-by: dglFromAtt Change-Id: I1dcb236341a9795aa6bc0b5da71f046f5e0afa30 Signed-off-by: dglFromAtt --- pom.xml | 2 +- .../onap/dmaap/dbcapi/client/MrProvConnection.java | 17 +++- .../dbcapi/server/CadiCertificateManager.java | 61 ++++++++++++++ .../dbcapi/server/CertficateManagerFactory.java | 51 +++++++++++ .../dmaap/dbcapi/server/CertificateManager.java | 98 ++++++++++++++++++++++ .../org/onap/dmaap/dbcapi/server/JettyServer.java | 49 ++++++----- .../dbcapi/server/LegacyCertificateManager.java | 39 +++++++++ version.properties | 2 +- 8 files changed, 292 insertions(+), 27 deletions(-) create mode 100644 src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java create mode 100644 src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java create mode 100644 src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java create mode 100644 src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java diff --git a/pom.xml b/pom.xml index 6a149d1..7328dbb 100644 --- a/pom.xml +++ b/pom.xml @@ -420,7 +420,7 @@ UTF-8 9.4.24.v20191120 1.0.0 - 2.0.1-SNAPSHOT + 2.0.2-SNAPSHOT 4.12 0.7.7.201606060606 diff --git a/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java b/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java index 688bbce..9c3fa4e 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java +++ b/src/main/java/org/onap/dmaap/dbcapi/client/MrProvConnection.java @@ -76,15 +76,24 @@ public class MrProvConnection extends BaseLoggingClass{ public boolean makeTopicConnection( MR_Cluster cluster ) { - logger.info( "connect to cluster: " + cluster.getDcaeLocationName()); - + boolean rc = false; + logger.info( "connect to cluster: " + cluster.getDcaeLocationName()); + provURL = cluster.getTopicProtocol() + "://" + cluster.getFqdn() + ":" + cluster.getTopicPort() + "/topics/create"; if ( cluster.getTopicProtocol().equals( "https" ) ) { - return makeSecureConnection( provURL ); + rc = makeSecureConnection( provURL ); + } else { + rc = makeConnection( provURL ); } - return makeConnection( provURL ); + if ( rc && unit_test.equals( "Yes" ) ) { + // set timeouts low so we don't hold up unit tests in build process + uc.setReadTimeout(5); + uc.setConnectTimeout(5); + } + return rc; + } private boolean makeSecureConnection( String pURL ) { diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java new file mode 100644 index 0000000..1da2bc4 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/server/CadiCertificateManager.java @@ -0,0 +1,61 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.dmaap.dbcapi.server; + +import java.io.FileInputStream; +import java.io.IOException; +import java.util.Properties; + +import org.onap.aaf.cadi.PropAccess; + +public class CadiCertificateManager extends CertificateManager { + private PropAccess propAccess; + + CadiCertificateManager( Properties properties ) { + String cadiPropsFile = properties.getProperty("cadi.properties", "etc/org.onap.dmaa-bc.props"); + logger.info( "using cadi properties in ", cadiPropsFile); + + propAccess = new PropAccess(); + ready = true; + try { + propAccess.load( new FileInputStream( cadiPropsFile )); + } catch ( IOException e ) { + logger.error( "Failed to load props file: " + cadiPropsFile + "\n" + e.getMessage()); + ready = false; + } + setKeyStoreType( "jks"); + setKeyStoreFile( propAccess.getProperty("cadi_keystore") ); + setKeyStorePassword( decryptPass( propAccess.getProperty("cadi_keystore_password_jks" ) )); + + setTrustStoreType( "jks"); + setTrustStoreFile( propAccess.getProperty("cadi_truststore" ) ); + setTrustStorePassword( decryptPass( propAccess.getProperty("cadi_truststore_password" ) )); + } + + private String decryptPass( String password ) { + String clear = null; + try { + clear = propAccess.decrypt(password, false ); + } catch (IOException e) { + logger.error( "Failed to decrypt " + password + ": " + e.getMessage() ); + } + return clear; + } +} diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java b/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java new file mode 100644 index 0000000..55aa0c1 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/server/CertficateManagerFactory.java @@ -0,0 +1,51 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dmaap.dbcapi.server; + + +import java.util.Properties; + +import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; +import org.onap.dmaap.dbcapi.util.DmaapConfig; + +public class CertficateManagerFactory extends BaseLoggingClass { + private final Properties dmaapConfig; + + public CertficateManagerFactory() { + this((DmaapConfig) DmaapConfig.getConfig()); + } + + CertficateManagerFactory(Properties params) { + this.dmaapConfig = params; + } + + public CertificateManager initCertificateManager() { + boolean useCadi = "cadi".equalsIgnoreCase(dmaapConfig.getProperty("CertificateManagement", "legacy")); + logger.info("CertificateManagerFactory: useCadi=", useCadi); + + if ( useCadi ) { + return new CadiCertificateManager( dmaapConfig ); + } + return new LegacyCertificateManager( dmaapConfig ); + } + + +} diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java new file mode 100644 index 0000000..e0f554d --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/server/CertificateManager.java @@ -0,0 +1,98 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dmaap.dbcapi.server; + +import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; + +public abstract class CertificateManager extends BaseLoggingClass{ + + class cmAttribute { + private String type; + private String file; + private String password; + + private String getType() { + return type; + } + private void setType(String certificateType) { + this.type = certificateType; + } + private String getFile() { + return file; + } + private void setFile(String keyStoreFile) { + this.file = keyStoreFile; + } + private void setPassword( String pwd ) { + this.password = pwd; + } + private String getPassword() { + return password; + } + } + + private cmAttribute keyStore; + private cmAttribute trustStore; + protected boolean ready; + + public boolean isReady() { + return ready; + } + + public String getKeyStoreType() { + return keyStore.getType(); + } + public void setKeyStoreType(String certificateType) { + this.keyStore.setType( certificateType) ; + } + public String getKeyStoreFile() { + return keyStore.getFile(); + } + public void setKeyStoreFile(String keyStoreFile) { + this.keyStore.setFile(keyStoreFile); + } + + public String getKeyStorePassword() { + return keyStore.getPassword(); + } + public void setKeyStorePassword(String keyStorePassword) { + this.keyStore.setPassword(keyStorePassword); + } + public String getTrustStoreType() { + return trustStore.getType(); + } + public void setTrustStoreType( String type ) { + this.trustStore.setType(type); + } + public String getTrustStoreFile() { + return trustStore.getFile(); + } + public void setTrustStoreFile(String trustStoreFile) { + this.trustStore.setFile(trustStoreFile); + } + public String getTrustStorePassword() { + return trustStore.getPassword(); + } + public void setTrustStorePassword(String trustStorePassword) { + this.trustStore.setPassword(trustStorePassword); + } + +} diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java b/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java index 6a75d65..74a0fa6 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java +++ b/src/main/java/org/onap/dmaap/dbcapi/server/JettyServer.java @@ -76,20 +76,26 @@ public class JettyServer extends BaseLoggingClass { SslContextFactory sslContextFactory = new SslContextFactory.Server(); sslContextFactory.setWantClientAuth(true); - setUpKeystore(params, sslContextFactory); - setUpTrustStore(params, sslContextFactory); - - if (sslPort != 0) { - try (ServerConnector sslConnector = new ServerConnector(server, - new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), - new HttpConnectionFactory(https_config))) { - sslConnector.setPort(sslPort); - server.addConnector(sslConnector); - serverLogger.info("Starting sslConnector on port " + sslPort + " for https"); - } + CertificateManager certificateManager = new CertficateManagerFactory(params).initCertificateManager(); + if ( ! certificateManager.isReady()) { + serverLogger.error("CertificateManager is not ready. NOT starting https!"); } else { - serverLogger.info("NOT starting sslConnector because InHttpsPort param is " + sslPort ); - } + setUpKeystore(certificateManager, sslContextFactory); + setUpTrustStore(certificateManager, sslContextFactory); + + + if (sslPort != 0) { + try (ServerConnector sslConnector = new ServerConnector(server, + new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), + new HttpConnectionFactory(https_config))) { + sslConnector.setPort(sslPort); + server.addConnector(sslConnector); + serverLogger.info("Starting sslConnector on port " + sslPort + " for https"); + } + } else { + serverLogger.info("NOT starting sslConnector because InHttpsPort param is " + sslPort ); + } + } if (allowHttp) { serverLogger.info("Starting httpConnector on port " + httpPort); server.addConnector(httpConnector); @@ -141,19 +147,20 @@ public class JettyServer extends BaseLoggingClass { Sets.newEnumSet(Sets.newHashSet(DispatcherType.FORWARD, DispatcherType.REQUEST), DispatcherType.class)); } - private void setUpKeystore(Properties params, SslContextFactory sslContextFactory) { - String keystore = params.getProperty("KeyStoreFile", "etc/keystore"); + private void setUpKeystore(CertificateManager certificateManager, SslContextFactory sslContextFactory) { + String keystore = certificateManager.getKeyStoreFile(); logger.info("https Server using keystore at " + keystore); sslContextFactory.setKeyStorePath(keystore); - sslContextFactory.setKeyStorePassword(params.getProperty("KeyStorePassword", "changeit")); - sslContextFactory.setKeyManagerPassword(params.getProperty("KeyPassword", "changeit")); + sslContextFactory.setKeyStoreType(certificateManager.getKeyStoreType()); + sslContextFactory.setKeyStorePassword(certificateManager.getKeyStorePassword()); + sslContextFactory.setKeyManagerPassword(certificateManager.getKeyStorePassword()); } - private void setUpTrustStore(Properties params, SslContextFactory sslContextFactory) { - String truststore = params.getProperty("TrustStoreFile", "etc/org.onap.dmaap-bc.trust.jks"); + private void setUpTrustStore(CertificateManager certificateManager, SslContextFactory sslContextFactory) { + String truststore = certificateManager.getTrustStoreFile(); logger.info("https Server using truststore at " + truststore); sslContextFactory.setTrustStorePath(truststore); - sslContextFactory.setTrustStoreType(params.getProperty("TrustStoreType", "jks")); - sslContextFactory.setTrustStorePassword(params.getProperty("TrustStorePassword", "changeit")); + sslContextFactory.setTrustStoreType(certificateManager.getTrustStoreType()); + sslContextFactory.setTrustStorePassword(certificateManager.getTrustStorePassword()); } } diff --git a/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java b/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java new file mode 100644 index 0000000..bd54003 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/server/LegacyCertificateManager.java @@ -0,0 +1,39 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.dmaap.dbcapi.server; + +import java.util.Properties; + +import org.onap.dmaap.dbcapi.util.DmaapConfig; + +public class LegacyCertificateManager extends CertificateManager { + + public LegacyCertificateManager(Properties properties ) { + setKeyStoreType( properties.getProperty("KeyStoreType", "jks") ); + setKeyStoreFile( properties.getProperty("KeyStoreFile", "etc/keystore") ); + setKeyStorePassword( properties.getProperty("KeyStorePassword", "changeit") ); + + setTrustStoreFile( properties.getProperty("TrustStoreFile", "etc/org.onap.dmaap-bc.trust.jks") ); + setTrustStoreType( properties.getProperty("TrustStoreType", "jks") ); + setTrustStorePassword( properties.getProperty("TrustStorePassword", "changeit") ); + ready = true; + } + +} diff --git a/version.properties b/version.properties index 9afec0f..8d3835e 100644 --- a/version.properties +++ b/version.properties @@ -27,7 +27,7 @@ major=2 minor=0 -patch=1 +patch=2 base_version=${major}.${minor}.${patch} # Release must be completed with git revision # in Jenkins -- 2.16.6