Skip to content

Commit

Permalink
feat: Security Server can download Global Configuration over HTTPS (#…
Browse files Browse the repository at this point in the history 
…1851)

* feat: security server can download global configuration over https

Refs: XRDDEV-2495

* fix: test fixes

Refs: XRDDEV-2495

* fix: checkstyle fixes

Refs: XRDDEV-2495

* fix: sonar issues fixes

Refs: XRDDEV-2495

* docs: added parameters global_conf_tls_cert_verification, global_conf_hostname_verification

Refs: XRDDEV-2495

* fix: tests changes

Refs: XRDDEV-2495

* fix: get randomized urls fixes

Refs: XRDDEV-2495

* fix: tests fixes

Refs: XRDDEV-2495
  • Loading branch information
@enelir
enelir authored Nov 13, 2023
1 parent f0bad2b commit 6e80420
Show file tree
Hide file tree
Showing 9 changed files with 200 additions and 23 deletions.
17 changes: 10 additions & 7 deletions doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# X-Road: System Parameters User Guide

Version: 2.81
Version: 2.82
Doc. ID: UG-SYSPAR


Expand Down Expand Up @@ -92,6 +92,7 @@ Doc. ID: UG-SYSPAR
| 02.10.2023 | 2.79 | Remove Akka references | Ričardas Bučiūnas |
| 18.10.2023 | 2.80 | Add gRPC properties | Ričardas Bučiūnas |
| 23.10.2023 | 2.81 | Update supported command line arguments | Petteri Kivimäki |
| 09.11.2023 | 2.82 | Added new *global_conf_tls_cert_verification*, *global_conf_hostname_verification* parameters | Eneli Reimets |

## Table of Contents

Expand Down Expand Up @@ -336,12 +337,14 @@ Proxy-ui has been removed in version 6.24 and it's parameters are not used anymo
### 3.6 Configuration Client parameters: `[configuration-client]`

| **Parameter** | **Default value** | **Description** |
|---------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| port | 5665 | TCP port on which the configuration client process listens. |
| update-interval | 60 | Global configuration download interval in seconds. |
| admin-port | 5675 | TCP port on which the configuration client process listens for admin commands. |
| allowed-federations | none | A comma-separated list of case-insensitive X-Road instances that fetching configuration anchors is allowed for. This enables federation with the listed instances if the X-Road instance is already federated at the central server level . Special value *none*, if present, disables all federation (the default value), while *all* allows all federations if *none* is not present. Example: *allowed-federations=ee,sv* allows federation with example instances *EE* and *Sv* while *allowed-federations=all,none* disables federation. X-Road services `xroad-confclient` and `xroad-proxy` need to be restarted (in that order) for the setting change to take effect. |
| proxy-configuration-backup-cron | 0 15 3 * * ? | Cron expression for proxy configuration automatic backup job |
|-----------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| port | 5665 | TCP port on which the configuration client process listens. |
| update-interval | 60 | Global configuration download interval in seconds. |
| admin-port | 5675 | TCP port on which the configuration client process listens for admin commands. |
| allowed-federations | none | A comma-separated list of case-insensitive X-Road instances that fetching configuration anchors is allowed for. This enables federation with the listed instances if the X-Road instance is already federated at the central server level . Special value *none*, if present, disables all federation (the default value), while *all* allows all federations if *none* is not present. Example: *allowed-federations=ee,sv* allows federation with example instances *EE* and *Sv* while *allowed-federations=all,none* disables federation. X-Road services `xroad-confclient` and `xroad-proxy` need to be restarted (in that order) for the setting change to take effect. |
| proxy-configuration-backup-cron | 0 15 3 * * ? | Cron expression for proxy configuration automatic backup job |
| global_conf_tls_cert_verification | true | It is possible to disable the verification of the global configuration download TLS certificate. Should be `true` in production environment |
| global_conf_hostname_verification | true | It is possible to disable the hostname verification. Does the hostname specified in the URL match the hostname specified in the Common Name (CN) of the Central Server’s TLS certificate. Should be `true` in production environment |

### 3.7 Message log add-on parameters: `[message-log]`

Expand Down
14 changes: 14 additions & 0 deletions src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,6 +459,12 @@ private SystemProperties() {
public static final String CONFIGURATION_CLIENT_PROXY_CONFIGURATION_BACKUP_CRON =
PREFIX + "configuration-client.proxy-configuration-backup-cron";

public static final String CONFIGURATION_CLIENT_GLOBAL_CONF_TLS_CERT_VERIFICATION =
PREFIX + "configuration-client.global_conf_tls_cert_verification";

public static final String CONFIGURATION_CLIENT_GLOBAL_CONF_HOSTNAME_VERIFICATION =
PREFIX + "configuration-client.global_conf_hostname_verification";

public static final String CONFIGURATION_CLIENT_ALLOWED_FEDERATIONS =
PREFIX + "configuration-client.allowed-federations";

Expand Down Expand Up @@ -1086,6 +1092,14 @@ public static String getConfigurationClientProxyConfigurationBackupCron() {
return System.getProperty(CONFIGURATION_CLIENT_PROXY_CONFIGURATION_BACKUP_CRON, "0 15 3 * * ?");
}

public static boolean isConfigurationClientGlobalConfTlsCertVerificationEnabled() {
return Boolean.parseBoolean(System.getProperty(CONFIGURATION_CLIENT_GLOBAL_CONF_TLS_CERT_VERIFICATION, "true"));
}

public static boolean isConfigurationClientGlobalConfHostnameVerificationEnabled() {
return Boolean.parseBoolean(System.getProperty(CONFIGURATION_CLIENT_GLOBAL_CONF_HOSTNAME_VERIFICATION, "true"));
}

public static String getConfigurationClientAllowedFederations() {
return System.getProperty(CONFIGURATION_CLIENT_ALLOWED_FEDERATIONS, AllowedFederationMode.NONE.name());
}
Expand Down
109 changes: 109 additions & 0 deletions ...c/main/java/ee/ria/xroad/common/conf/globalconf/ConfigurationHttpUrlConnectionConfig.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
/*
* The MIT License
* Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
* Copyright (c) 2018 Estonian Information System Authority (RIA),
* Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
* Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/

package ee.ria.xroad.common.conf.globalconf;

import ee.ria.xroad.common.SystemProperties;

import lombok.extern.slf4j.Slf4j;
import org.apache.http.conn.ssl.NoopHostnameVerifier;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import java.net.HttpURLConnection;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

@Slf4j
public final class ConfigurationHttpUrlConnectionConfig {

private static final String TLS = "TLS";
private static final SSLSocketFactory SSL_SOCKET_FACTORY;
private static final boolean TLS_CERTIFICATION_VERIFICATION_ENABLED =
SystemProperties.isConfigurationClientGlobalConfTlsCertVerificationEnabled();
private static final boolean HOSTNAME_VERIFICATION_ENABLED =
SystemProperties.isConfigurationClientGlobalConfHostnameVerificationEnabled();

static {
try {
final SSLContext sslContext = SSLContext.getInstance(TLS);
sslContext.init(null, new TrustManager[]{new NoopTrustManager()}, new SecureRandom());
SSL_SOCKET_FACTORY = sslContext.getSocketFactory();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new IllegalStateException("FATAL: Unable to create socket factory", e);
}
}

private ConfigurationHttpUrlConnectionConfig() {
}

static void apply(HttpURLConnection conn) {
if (conn instanceof HttpsURLConnection httpsConn) {
logSystemPropertiesInfo();

if (!HOSTNAME_VERIFICATION_ENABLED) {
httpsConn.setHostnameVerifier(new NoopHostnameVerifier());
}
if (!TLS_CERTIFICATION_VERIFICATION_ENABLED) {
httpsConn.setSSLSocketFactory(SSL_SOCKET_FACTORY);
}
}
}

private static void logSystemPropertiesInfo() {
log.info("Global conf download TLS certificate verification is " + isEnabled(TLS_CERTIFICATION_VERIFICATION_ENABLED)
+ ", hostname verification is " + isEnabled(HOSTNAME_VERIFICATION_ENABLED));
}

private static String isEnabled(boolean paramValue) {
return paramValue ? "enabled" : "disabled";
}

@SuppressWarnings("java:S4830") // Won't fix: Works as designed ("Server certificates should be verified in production environment")
static class NoopTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
// The method gets never called
}

@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
// Trust all
}

@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
}
2 changes: 2 additions & 0 deletions .../common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/ConfigurationLocation.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.security.cert.X509Certificate;
Expand Down Expand Up @@ -83,6 +84,7 @@ public static URLConnection getDownloadURLConnection(String urlStr) throws IOExc
URL url = new URL(urlStr);
URLConnection connection = url.openConnection();
connection.setReadTimeout(READ_TIMEOUT);
ConfigurationHttpUrlConnectionConfig.apply((HttpURLConnection) connection);
return connection;
}

Expand Down
Loading

0 comments on commit 6e80420

Please sign in to comment.