fix: setting default value of nonStrictVerifySslCertificatesOfService…

…s to … (#3029) * Setting default value of nonStrictVerifySslCertificatesOfServices to false when certificate verification is enabled Signed-off-by: sj895092 <[email protected]> * refactoring the if conditions for certificate verification Signed-off-by: sj895092 <[email protected]> * wip strict conditions Signed-off-by: Pablo Hernán Carle <[email protected]> --------- Signed-off-by: sj895092 <[email protected]> Signed-off-by: Pablo Hernán Carle <[email protected]> Co-authored-by: Andrea Tabone <[email protected]> Co-authored-by: Pablo Hernán Carle <[email protected]>
zowe · Aug 16, 2023 · 75b658c · 75b658c
1 parent b1df6f0
commit 75b658c
Show file tree

Hide file tree

Showing 11 changed files with 24 additions and 26 deletions.
diff --git a/api-catalog-package/src/main/resources/bin/start.sh b/api-catalog-package/src/main/resources/bin/start.sh
@@ -99,14 +99,14 @@ fi
 verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
 if [ "${verify_certificates_config}" = "DISABLED" ]; then
   verifySslCertificatesOfServices=false
-  nonStrictVerifySslCertificatesOfServices=false
+  nonStrictVerifySslCertificatesOfServices=true
 elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
-  verifySslCertificatesOfServices=false
+  verifySslCertificatesOfServices=true
   nonStrictVerifySslCertificatesOfServices=true
 else
   # default value is STRICT
   verifySslCertificatesOfServices=true
-  nonStrictVerifySslCertificatesOfServices=true
+  nonStrictVerifySslCertificatesOfServices=false
 fi
 
 if [ "$(uname)" = "OS/390" ]

diff --git a/...alog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java b/...alog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java
@@ -102,7 +102,7 @@ public SecurityFilterChain basicAuthOrTokenOrCertApiDocFilterChain(HttpSecurity
                 .authenticationProvider(gatewayTokenProvider)
                 .authenticationProvider(new CertificateAuthenticationProvider());
 
-            if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) {
+            if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) {
                 if (isAttlsEnabled) {
                     http.x509()
                         .userDetailsService(x509UserDetailsService())

diff --git a/caching-service-package/src/main/resources/bin/start.sh b/caching-service-package/src/main/resources/bin/start.sh
@@ -72,14 +72,14 @@ fi
 verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
 if [ "${verify_certificates_config}" = "DISABLED" ]; then
   verifySslCertificatesOfServices=false
-  nonStrictVerifySslCertificatesOfServices=false
+  nonStrictVerifySslCertificatesOfServices=true
 elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
-  verifySslCertificatesOfServices=false
+  verifySslCertificatesOfServices=true
   nonStrictVerifySslCertificatesOfServices=true
 else
   # default value is STRICT
   verifySslCertificatesOfServices=true
-  nonStrictVerifySslCertificatesOfServices=true
+  nonStrictVerifySslCertificatesOfServices=false
 fi
 
 if [ "$(uname)" = "OS/390" ]

diff --git a/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java b/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java
@@ -65,7 +65,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             .headers().httpStrictTransportSecurity().disable()
             .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
 
-        if (verifyCertificates || nonStrictVerifyCerts) {
+        if (verifyCertificates || !nonStrictVerifyCerts) {
             http.authorizeRequests().anyRequest().authenticated().and()
                 .x509().userDetailsService(x509UserDetailsService());
             if (isAttlsEnabled) {

diff --git a/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java b/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java
@@ -67,7 +67,7 @@ public CloseableHttpClient createSecureHttpClient(HttpClientConnectionManager co
     }
 
     public ConnectionSocketFactory createSslSocketFactory() {
-        if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) {
+        if (config.isVerifySslCertificatesOfServices()) {
             return getSSLConnectionSocketFactory();
         } else {
             apimlLog.log("org.zowe.apiml.common.ignoringSsl");
@@ -218,7 +218,7 @@ private ConnectionSocketFactory getSSLConnectionSocketFactory() {
     }
 
     public SSLContext getSslContext() {
-        if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) {
+        if (config.isVerifySslCertificatesOfServices()) {
             return createSecureSslContext();
         } else {
             return createIgnoringSslContext();
@@ -246,7 +246,7 @@ public void setSystemSslProperties() {
     }
 
     public HostnameVerifier getHostnameVerifier() {
-        if (config.isVerifySslCertificatesOfServices()) {
+        if (config.isVerifySslCertificatesOfServices() && !config.isNonStrictVerifySslCertificatesOfServices()) {
             return SSLConnectionSocketFactory.getDefaultHostnameVerifier();
         } else {
             return new NoopHostnameVerifier();
@@ -268,7 +268,7 @@ public EurekaJerseyClientBuilder createEurekaJerseyClientBuilder(String eurekaSe
         } else {
             System.setProperty("com.netflix.eureka.shouldSSLConnectionsUseSystemSocketFactory", "true");
 
-            if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) {
+            if (config.isVerifySslCertificatesOfServices()) {
                 setSystemSslProperties();
             }
             builder.withCustomSSL(getSslContext());

diff --git a/discovery-package/src/main/resources/bin/start.sh b/discovery-package/src/main/resources/bin/start.sh
@@ -83,14 +83,14 @@ fi
 verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
 if [ "${verify_certificates_config}" = "DISABLED" ]; then
   verifySslCertificatesOfServices=false
-  nonStrictVerifySslCertificatesOfServices=false
+  nonStrictVerifySslCertificatesOfServices=true
 elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
-  verifySslCertificatesOfServices=false
+  verifySslCertificatesOfServices=true
   nonStrictVerifySslCertificatesOfServices=true
 else
   # default value is STRICT
   verifySslCertificatesOfServices=true
-  nonStrictVerifySslCertificatesOfServices=true
+  nonStrictVerifySslCertificatesOfServices=false
 fi
 
 if [ "$(uname)" = "OS/390" ]; then

diff --git a/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java b/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java
@@ -119,7 +119,7 @@ public SecurityFilterChain basicAuthOrTokenFilterChain(HttpSecurity http) throws
     @Order(2)
     public SecurityFilterChain clientCertificateFilterChain(HttpSecurity http) throws Exception {
         baseConfigure(http.antMatcher("/eureka/**"));
-        if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) {
+        if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) {
             http.authorizeRequests()
                 .anyRequest().authenticated()
                 .and().x509().userDetailsService(x509UserDetailsService());
@@ -143,7 +143,7 @@ public SecurityFilterChain basicAuthOrTokenOrCertFilterChain(HttpSecurity http)
             .authenticationProvider(gatewayLoginProvider)
             .authenticationProvider(gatewayTokenProvider)
             .httpBasic().realmName(DISCOVERY_REALM);
-        if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) {
+        if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) {
             http.authorizeRequests().anyRequest().authenticated().and()
                 .x509().userDetailsService(x509UserDetailsService());
             if (isAttlsEnabled) {

diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh
@@ -121,14 +121,14 @@ fi
 verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
 if [ "${verify_certificates_config}" = "DISABLED" ]; then
   verifySslCertificatesOfServices=false
-  nonStrictVerifySslCertificatesOfServices=false
+  nonStrictVerifySslCertificatesOfServices=true
 elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
-  verifySslCertificatesOfServices=false
+  verifySslCertificatesOfServices=true
   nonStrictVerifySslCertificatesOfServices=true
 else
   # default value is STRICT
   verifySslCertificatesOfServices=true
-  nonStrictVerifySslCertificatesOfServices=true
+  nonStrictVerifySslCertificatesOfServices=false
 fi
 
 if [ -z "${ZWE_configs_apiml_catalog_serviceId}" ]

diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java
@@ -10,13 +10,11 @@
 
 package org.zowe.apiml.util.config;
 
-import lombok.extern.slf4j.Slf4j;
 import org.zowe.apiml.zaasclient.config.ConfigProperties;
 
 import static org.zowe.apiml.util.config.ConfigReader.environmentConfiguration;
 import static org.zowe.apiml.util.requests.Endpoints.ROUTED_AUTH;
 
-@Slf4j
 public class ConfigReaderZaasClient {
 
         public static ConfigProperties getConfigProperties() {

diff --git a/metrics-service-package/src/main/resources/bin/start.sh b/metrics-service-package/src/main/resources/bin/start.sh
@@ -60,14 +60,14 @@ fi
 verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]')
 if [ "${verify_certificates_config}" = "DISABLED" ]; then
   verifySslCertificatesOfServices=false
-  nonStrictVerifySslCertificatesOfServices=false
+  nonStrictVerifySslCertificatesOfServices=true
 elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then
-  verifySslCertificatesOfServices=false
+  verifySslCertificatesOfServices=true
   nonStrictVerifySslCertificatesOfServices=true
 else
   # default value is STRICT
   verifySslCertificatesOfServices=true
-  nonStrictVerifySslCertificatesOfServices=true
+  nonStrictVerifySslCertificatesOfServices=false
 fi
 
 if [ "$(uname)" = "OS/390" ]

diff --git a/...r-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java b/...r-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java
@@ -145,7 +145,7 @@ private EurekaClient initializeEurekaClient(
             builder.verifySslCertificatesOfServices(Boolean.TRUE.equals(sslConfig.getVerifySslCertificatesOfServices()));
             builder.nonStrictVerifySslCertificatesOfServices(Boolean.TRUE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices()));
             if (Boolean.TRUE.equals(sslConfig.getVerifySslCertificatesOfServices()) ||
-                Boolean.TRUE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices())) {
+                Boolean.FALSE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices())) {
                 builder.trustStore(sslConfig.getTrustStore())
                     .trustStoreType(sslConfig.getTrustStoreType())
                     .trustStorePassword(sslConfig.getTrustStorePassword());