From 75b658ccb59078008fb714e1022bb379269d8044 Mon Sep 17 00:00:00 2001 From: ShobhaJayanna <36433611+Shobhajayanna@users.noreply.github.com> Date: Wed, 16 Aug 2023 15:25:13 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20setting=20default=20value=20of=20nonStri?= =?UTF-8?q?ctVerifySslCertificatesOfServices=20to=20=E2=80=A6=20(#3029)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Setting default value of nonStrictVerifySslCertificatesOfServices to false when certificate verification is enabled Signed-off-by: sj895092 * refactoring the if conditions for certificate verification Signed-off-by: sj895092 * wip strict conditions Signed-off-by: Pablo Hernán Carle --------- Signed-off-by: sj895092 Signed-off-by: Pablo Hernán Carle Co-authored-by: Andrea Tabone <39694626+taban03@users.noreply.github.com> Co-authored-by: Pablo Hernán Carle --- api-catalog-package/src/main/resources/bin/start.sh | 6 +++--- .../apiml/apicatalog/security/SecurityConfiguration.java | 2 +- caching-service-package/src/main/resources/bin/start.sh | 6 +++--- .../zowe/apiml/caching/config/SpringSecurityConfig.java | 2 +- .../main/java/org/zowe/apiml/security/HttpsFactory.java | 8 ++++---- discovery-package/src/main/resources/bin/start.sh | 6 +++--- .../apiml/discovery/config/HttpsWebSecurityConfig.java | 4 ++-- gateway-package/src/main/resources/bin/start.sh | 6 +++--- .../zowe/apiml/util/config/ConfigReaderZaasClient.java | 2 -- metrics-service-package/src/main/resources/bin/start.sh | 6 +++--- .../eurekaservice/client/impl/ApiMediationClientImpl.java | 2 +- 11 files changed, 24 insertions(+), 26 deletions(-) diff --git a/api-catalog-package/src/main/resources/bin/start.sh b/api-catalog-package/src/main/resources/bin/start.sh index 36387cec1e..7fcc21df47 100755 --- a/api-catalog-package/src/main/resources/bin/start.sh +++ b/api-catalog-package/src/main/resources/bin/start.sh @@ -99,14 +99,14 @@ fi verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]') if [ "${verify_certificates_config}" = "DISABLED" ]; then verifySslCertificatesOfServices=false - nonStrictVerifySslCertificatesOfServices=false + nonStrictVerifySslCertificatesOfServices=true elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then - verifySslCertificatesOfServices=false + verifySslCertificatesOfServices=true nonStrictVerifySslCertificatesOfServices=true else # default value is STRICT verifySslCertificatesOfServices=true - nonStrictVerifySslCertificatesOfServices=true + nonStrictVerifySslCertificatesOfServices=false fi if [ "$(uname)" = "OS/390" ] diff --git a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java index ae7a56b12c..92daa8ea06 100644 --- a/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java +++ b/api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/security/SecurityConfiguration.java @@ -102,7 +102,7 @@ public SecurityFilterChain basicAuthOrTokenOrCertApiDocFilterChain(HttpSecurity .authenticationProvider(gatewayTokenProvider) .authenticationProvider(new CertificateAuthenticationProvider()); - if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) { + if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) { if (isAttlsEnabled) { http.x509() .userDetailsService(x509UserDetailsService()) diff --git a/caching-service-package/src/main/resources/bin/start.sh b/caching-service-package/src/main/resources/bin/start.sh index 70a7b88005..5b6e48cc36 100755 --- a/caching-service-package/src/main/resources/bin/start.sh +++ b/caching-service-package/src/main/resources/bin/start.sh @@ -72,14 +72,14 @@ fi verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]') if [ "${verify_certificates_config}" = "DISABLED" ]; then verifySslCertificatesOfServices=false - nonStrictVerifySslCertificatesOfServices=false + nonStrictVerifySslCertificatesOfServices=true elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then - verifySslCertificatesOfServices=false + verifySslCertificatesOfServices=true nonStrictVerifySslCertificatesOfServices=true else # default value is STRICT verifySslCertificatesOfServices=true - nonStrictVerifySslCertificatesOfServices=true + nonStrictVerifySslCertificatesOfServices=false fi if [ "$(uname)" = "OS/390" ] diff --git a/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java b/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java index 062e57cf2b..53959ffbd5 100644 --- a/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java +++ b/caching-service/src/main/java/org/zowe/apiml/caching/config/SpringSecurityConfig.java @@ -65,7 +65,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { .headers().httpStrictTransportSecurity().disable() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); - if (verifyCertificates || nonStrictVerifyCerts) { + if (verifyCertificates || !nonStrictVerifyCerts) { http.authorizeRequests().anyRequest().authenticated().and() .x509().userDetailsService(x509UserDetailsService()); if (isAttlsEnabled) { diff --git a/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java b/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java index dd716b0b3c..e83dc75d3b 100644 --- a/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java +++ b/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java @@ -67,7 +67,7 @@ public CloseableHttpClient createSecureHttpClient(HttpClientConnectionManager co } public ConnectionSocketFactory createSslSocketFactory() { - if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) { + if (config.isVerifySslCertificatesOfServices()) { return getSSLConnectionSocketFactory(); } else { apimlLog.log("org.zowe.apiml.common.ignoringSsl"); @@ -218,7 +218,7 @@ private ConnectionSocketFactory getSSLConnectionSocketFactory() { } public SSLContext getSslContext() { - if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) { + if (config.isVerifySslCertificatesOfServices()) { return createSecureSslContext(); } else { return createIgnoringSslContext(); @@ -246,7 +246,7 @@ public void setSystemSslProperties() { } public HostnameVerifier getHostnameVerifier() { - if (config.isVerifySslCertificatesOfServices()) { + if (config.isVerifySslCertificatesOfServices() && !config.isNonStrictVerifySslCertificatesOfServices()) { return SSLConnectionSocketFactory.getDefaultHostnameVerifier(); } else { return new NoopHostnameVerifier(); @@ -268,7 +268,7 @@ public EurekaJerseyClientBuilder createEurekaJerseyClientBuilder(String eurekaSe } else { System.setProperty("com.netflix.eureka.shouldSSLConnectionsUseSystemSocketFactory", "true"); - if (config.isVerifySslCertificatesOfServices() || config.isNonStrictVerifySslCertificatesOfServices()) { + if (config.isVerifySslCertificatesOfServices()) { setSystemSslProperties(); } builder.withCustomSSL(getSslContext()); diff --git a/discovery-package/src/main/resources/bin/start.sh b/discovery-package/src/main/resources/bin/start.sh index 2a783bf26e..60aa296c1a 100755 --- a/discovery-package/src/main/resources/bin/start.sh +++ b/discovery-package/src/main/resources/bin/start.sh @@ -83,14 +83,14 @@ fi verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]') if [ "${verify_certificates_config}" = "DISABLED" ]; then verifySslCertificatesOfServices=false - nonStrictVerifySslCertificatesOfServices=false + nonStrictVerifySslCertificatesOfServices=true elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then - verifySslCertificatesOfServices=false + verifySslCertificatesOfServices=true nonStrictVerifySslCertificatesOfServices=true else # default value is STRICT verifySslCertificatesOfServices=true - nonStrictVerifySslCertificatesOfServices=true + nonStrictVerifySslCertificatesOfServices=false fi if [ "$(uname)" = "OS/390" ]; then diff --git a/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java b/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java index f212a612cc..6f2cea8834 100644 --- a/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java +++ b/discovery-service/src/main/java/org/zowe/apiml/discovery/config/HttpsWebSecurityConfig.java @@ -119,7 +119,7 @@ public SecurityFilterChain basicAuthOrTokenFilterChain(HttpSecurity http) throws @Order(2) public SecurityFilterChain clientCertificateFilterChain(HttpSecurity http) throws Exception { baseConfigure(http.antMatcher("/eureka/**")); - if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) { + if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) { http.authorizeRequests() .anyRequest().authenticated() .and().x509().userDetailsService(x509UserDetailsService()); @@ -143,7 +143,7 @@ public SecurityFilterChain basicAuthOrTokenOrCertFilterChain(HttpSecurity http) .authenticationProvider(gatewayLoginProvider) .authenticationProvider(gatewayTokenProvider) .httpBasic().realmName(DISCOVERY_REALM); - if (verifySslCertificatesOfServices || nonStrictVerifySslCertificatesOfServices) { + if (verifySslCertificatesOfServices || !nonStrictVerifySslCertificatesOfServices) { http.authorizeRequests().anyRequest().authenticated().and() .x509().userDetailsService(x509UserDetailsService()); if (isAttlsEnabled) { diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh index c362f99694..57103bc9bc 100755 --- a/gateway-package/src/main/resources/bin/start.sh +++ b/gateway-package/src/main/resources/bin/start.sh @@ -121,14 +121,14 @@ fi verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]') if [ "${verify_certificates_config}" = "DISABLED" ]; then verifySslCertificatesOfServices=false - nonStrictVerifySslCertificatesOfServices=false + nonStrictVerifySslCertificatesOfServices=true elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then - verifySslCertificatesOfServices=false + verifySslCertificatesOfServices=true nonStrictVerifySslCertificatesOfServices=true else # default value is STRICT verifySslCertificatesOfServices=true - nonStrictVerifySslCertificatesOfServices=true + nonStrictVerifySslCertificatesOfServices=false fi if [ -z "${ZWE_configs_apiml_catalog_serviceId}" ] diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java index 33837b47f8..81eec2add6 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java @@ -10,13 +10,11 @@ package org.zowe.apiml.util.config; -import lombok.extern.slf4j.Slf4j; import org.zowe.apiml.zaasclient.config.ConfigProperties; import static org.zowe.apiml.util.config.ConfigReader.environmentConfiguration; import static org.zowe.apiml.util.requests.Endpoints.ROUTED_AUTH; -@Slf4j public class ConfigReaderZaasClient { public static ConfigProperties getConfigProperties() { diff --git a/metrics-service-package/src/main/resources/bin/start.sh b/metrics-service-package/src/main/resources/bin/start.sh index 53f55a7890..a84f693ed2 100755 --- a/metrics-service-package/src/main/resources/bin/start.sh +++ b/metrics-service-package/src/main/resources/bin/start.sh @@ -60,14 +60,14 @@ fi verify_certificates_config=$(echo "${ZWE_zowe_verifyCertificates}" | tr '[:lower:]' '[:upper:]') if [ "${verify_certificates_config}" = "DISABLED" ]; then verifySslCertificatesOfServices=false - nonStrictVerifySslCertificatesOfServices=false + nonStrictVerifySslCertificatesOfServices=true elif [ "${verify_certificates_config}" = "NONSTRICT" ]; then - verifySslCertificatesOfServices=false + verifySslCertificatesOfServices=true nonStrictVerifySslCertificatesOfServices=true else # default value is STRICT verifySslCertificatesOfServices=true - nonStrictVerifySslCertificatesOfServices=true + nonStrictVerifySslCertificatesOfServices=false fi if [ "$(uname)" = "OS/390" ] diff --git a/onboarding-enabler-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java b/onboarding-enabler-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java index d8a5235a8c..45f4d4a1b8 100644 --- a/onboarding-enabler-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java +++ b/onboarding-enabler-java/src/main/java/org/zowe/apiml/eurekaservice/client/impl/ApiMediationClientImpl.java @@ -145,7 +145,7 @@ private EurekaClient initializeEurekaClient( builder.verifySslCertificatesOfServices(Boolean.TRUE.equals(sslConfig.getVerifySslCertificatesOfServices())); builder.nonStrictVerifySslCertificatesOfServices(Boolean.TRUE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices())); if (Boolean.TRUE.equals(sslConfig.getVerifySslCertificatesOfServices()) || - Boolean.TRUE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices())) { + Boolean.FALSE.equals(sslConfig.getNonStrictVerifySslCertificatesOfServices())) { builder.trustStore(sslConfig.getTrustStore()) .trustStoreType(sslConfig.getTrustStoreType()) .trustStorePassword(sslConfig.getTrustStorePassword());