inteligr8/alfresco-transform-core
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-transform-core.git synced 2025-05-12 17:04:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

[ACS-4460] introduce mTLS when communicating with SFS (T-Engines communicating with SFS)

Browse Source
This commit is contained in:
kcichonczyk 2023-02-12 21:45:09 +01:00
parent 840529bdb9
commit e3737c977f
4 changed files with 173 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
engines/base/pom.xml
View File

@ -90,7 +90,6 @@
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>

172
engines/base/src/main/java/org/alfresco/transform/base/config/MTLSConfig.java Normal file
View File

@ -0,0 +1,172 @@
/*
* #%L
* Alfresco Transform Core
* %%
* Copyright (C) 2005 - 2023 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* -
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
* -
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
* -
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
* -
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.transform.base.config;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import static org.springframework.http.HttpHeaders.ACCEPT;
import static org.springframework.http.HttpHeaders.CONTENT_TYPE;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@Configuration
public class MTLSConfig {
@Value("${filestore-url}")
private String url;
@Value("${server.ssl.enabled}")
boolean sslEnabled;
@Value("${server.ssl.key.store}")
private Resource keyStoreResource;
//TODO: use some hashing algorithm
@Value("${server.ssl.key.password}")
private char[] keyPassword;
//TODO: use some hashing algorithm
@Value("${server.ssl.key.store.password}")
private char[] keyStorePassword;
@Value("${server.ssl.key.store.type}")
private String keyStoreType;
@Value("${server.ssl.trust.store}")
private Resource trustStoreResource;
//TODO: use some hashing algorithm
@Value("${server.ssl.trust.store.password}")
private char[] trustStorePassword;
@Value("${server.ssl.trust.store.type}")
private String trustStoreType;
@Bean
public WebClient client() throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException
{
if(sslEnabled)
{
HttpClient httpClient = getHttpClientWithMTLS();
return WebClient.builder().baseUrl(url.endsWith("/") ? url : url + "/")
.defaultHeader(CONTENT_TYPE, APPLICATION_JSON_VALUE)
.defaultHeader(ACCEPT, APPLICATION_JSON_VALUE)
.clientConnector(new ReactorClientHttpConnector(httpClient))
.build();
} else {
return WebClient.builder().baseUrl(url.endsWith("/") ? url : url + "/")
.defaultHeader(CONTENT_TYPE, APPLICATION_JSON_VALUE)
.defaultHeader(ACCEPT, APPLICATION_JSON_VALUE)
.build();
}
}
private HttpClient getHttpClientWithMTLS() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
KeyManagerFactory keyManagerFactory = initKeyManagerFactory();
TrustManagerFactory trustManagerFactory = initTrustManagerFactory();
SslContext sslContext = SslContextBuilder.forClient()
.trustManager(trustManagerFactory)
.keyManager(keyManagerFactory)
.build();
HttpClient httpClient = HttpClient.create().secure(p -> p.sslContext(sslContext));
return httpClient;
}
private TrustManagerFactory initTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = getKeyStore(trustStoreType, trustStoreResource, trustStorePassword);
trustManagerFactory.init(trustStore);
return trustManagerFactory;
}
private KeyManagerFactory initKeyManagerFactory() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
KeyStore clientKeyStore = getKeyStore(keyStoreType, keyStoreResource, keyStorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(keyStoreType);
keyManagerFactory.init(clientKeyStore, keyPassword);
return keyManagerFactory;
}
private KeyStore getKeyStore(String keyStoreType, Resource keyStoreResource, char[] keyStorePassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
try (InputStream keyStoreInputStream = keyStoreResource.getInputStream()) {
keyStore.load(keyStoreInputStream, keyStorePassword);
}
return keyStore;
}
@Bean
public RestTemplate restTemplate() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException, UnrecoverableKeyException {
if(sslEnabled)
{
return getRestTemplateWithMTLS();
} else {
return new RestTemplate();
}
}
private RestTemplate getRestTemplateWithMTLS() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
KeyStore keyStore = getKeyStore(keyStoreType, keyStoreResource, keyStorePassword);
SSLContext sslContext = new SSLContextBuilder()
.loadKeyMaterial(keyStore, keyPassword)
.loadTrustMaterial(trustStoreResource.getURL(), trustStorePassword)
.build();
SSLConnectionSocketFactory sslContextFactory = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslContextFactory).build();
ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
return new RestTemplate(requestFactory);
}
}

7
engines/base/src/main/java/org/alfresco/transform/base/config/WebApplicationConfig.java
View File

@ -35,7 +35,6 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@ -64,12 +63,6 @@ public class WebApplicationConfig implements WebMvcConfigurer
.addPathPatterns(ENDPOINT_TRANSFORM, "/live", "/ready");
}
@Bean
public RestTemplate restTemplate()
{
return new RestTemplate();
}
@Bean
public TransformRequestValidator transformRequestValidator()
{

15
engines/base/src/main/java/org/alfresco/transform/base/sfs/SharedFileStoreClient.java
View File

@ -26,10 +26,7 @@
*/
package org.alfresco.transform.base.sfs;
import static org.springframework.http.HttpHeaders.ACCEPT;
import static org.springframework.http.HttpHeaders.CONTENT_TYPE;
import static org.springframework.http.HttpMethod.POST;
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
import static org.springframework.http.MediaType.MULTIPART_FORM_DATA;
import java.io.File;
@ -52,8 +49,6 @@ import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.reactive.function.client.WebClient;
import javax.annotation.PostConstruct;
/**
* Simple Rest client that call Alfresco Shared File Store
*/
@ -68,17 +63,9 @@ public class SharedFileStoreClient
@Autowired
private RestTemplate restTemplate;
@Autowired
private WebClient client;
@PostConstruct
public void init()
{
client = WebClient.builder().baseUrl(url.endsWith("/") ? url : url + "/")
.defaultHeader(CONTENT_TYPE, APPLICATION_JSON_VALUE)
.defaultHeader(ACCEPT, APPLICATION_JSON_VALUE)
.build();
}
/**
* Retrieves a file from Shared File Store using given file reference
*