Search in sources :

Example 11 with SecretResolver

use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.

the class ClientConnFactoryBuilder method getCustomSSLContexts.

/**
 * Looks for a transport parameter named customSSLProfiles and initializes zero or more
 * custom SSLContext instances. The syntax for defining custom SSL profiles is as follows.
 * <p>
 * <parameter name="customSSLProfiles>
 *      <profile>
 *          <servers>www.test.org:80, www.test2.com:9763</servers>
 *          <KeyStore>
 *              <Location>/path/to/identity/store</Location>
 *              <Type>JKS</Type>
 *              <Password>password</Password>
 *              <KeyPassword>password</KeyPassword>
 *          </KeyStore>
 *          <TrustStore>
 *              <Location>path/tp/trust/store</Location>
 *              <Type>JKS</Type>
 *              <Password>password</Password>
 *          </TrustStore>
 *      </profile>
 * </parameter>
 * <p>
 * Any number of profiles can be defined under the customSSLProfiles parameter.
 *
 * @param transportOut transport out description
 * @return a map of server addresses and SSL contexts
 * @throws AxisFault if at least on SSL profile is not properly configured
 */
private Map<String, SSLContext> getCustomSSLContexts(TransportOutDescription transportOut) throws AxisFault {
    TransportOutDescription customSSLProfileTransport = loadDynamicSSLConfig(transportOut);
    Parameter customProfilesParam = customSSLProfileTransport.getParameter("customSSLProfiles");
    if (customProfilesParam == null) {
        return null;
    }
    if (log.isInfoEnabled()) {
        log.info(name + " Loading custom SSL profiles for the HTTPS sender");
    }
    OMElement customProfilesElt = customProfilesParam.getParameterElement();
    Utils.resolveOMElementChildValues(customProfilesElt);
    SecretResolver secretResolver = SecretResolverFactory.create(customProfilesElt, true);
    Iterator<?> profiles = customProfilesElt.getChildrenWithName(new QName("profile"));
    Map<String, SSLContext> contextMap = new HashMap<String, SSLContext>();
    while (profiles.hasNext()) {
        OMElement profile = (OMElement) profiles.next();
        OMElement serversElt = profile.getFirstChildWithName(new QName("servers"));
        if (serversElt == null || serversElt.getText() == null) {
            String msg = "Each custom SSL profile must define at least one host:port " + "pair under the servers element";
            log.error(name + " " + msg);
            throw new AxisFault(msg);
        }
        String[] servers = serversElt.getText().split(",");
        OMElement ksElt = profile.getFirstChildWithName(new QName("KeyStore"));
        OMElement trElt = profile.getFirstChildWithName(new QName("TrustStore"));
        String noValCert = profile.getAttributeValue(new QName("novalidatecert"));
        boolean novalidatecert = "true".equals(noValCert);
        SSLContext sslContext = null;
        try {
            sslContext = createSSLContext(ksElt, trElt, novalidatecert, secretResolver);
        } catch (AxisFault axisFault) {
            String err = "Error occurred while creating SSL context for the servers " + serversElt.getText();
            // This runtime exception stop the server startup But it will not affect for dynamic change
            throw new InvalidConfigurationException(err, axisFault);
        }
        for (String server : servers) {
            server = server.trim();
            if (!contextMap.containsKey(server)) {
                contextMap.put(server, sslContext);
            } else {
                if (log.isWarnEnabled()) {
                    log.warn(name + " Multiple SSL profiles were found for the server : " + server + ". Ignoring the excessive profiles.");
                }
            }
        }
    }
    if (contextMap.size() > 0) {
        if (log.isInfoEnabled()) {
            log.info(name + " Custom SSL profiles initialized for " + contextMap.size() + " servers");
        }
        return contextMap;
    }
    return null;
}
Also used : AxisFault(org.apache.axis2.AxisFault) HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) OMElement(org.apache.axiom.om.OMElement) SSLContext(javax.net.ssl.SSLContext) InvalidConfigurationException(org.apache.synapse.transport.exceptions.InvalidConfigurationException) SecretResolver(org.wso2.securevault.SecretResolver) Parameter(org.apache.axis2.description.Parameter) TransportOutDescription(org.apache.axis2.description.TransportOutDescription)

Example 12 with SecretResolver

use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.

the class ClientConnFactoryBuilder method createSSLContext.

private SSLContext createSSLContext(OMElement keyStoreElt, OMElement trustStoreElt, boolean novalidatecert) throws AxisFault {
    KeyManager[] keymanagers = null;
    TrustManager[] trustManagers = null;
    SecretResolver resolver;
    if (configurationContext != null && configurationContext.getAxisConfiguration() != null) {
        resolver = configurationContext.getAxisConfiguration().getSecretResolver();
    } else {
        resolver = SecretResolverFactory.create(keyStoreElt, false);
    }
    if (keyStoreElt != null) {
        String location = keyStoreElt.getFirstChildWithName(new QName("Location")).getText();
        String type = keyStoreElt.getFirstChildWithName(new QName("Type")).getText();
        OMElement passwordElement = keyStoreElt.getFirstChildWithName(new QName("Password"));
        OMElement keyPasswordElement = keyStoreElt.getFirstChildWithName(new QName("KeyPassword"));
        if (passwordElement == null) {
            throw new AxisFault("Cannot proceed because Password element is missing in KeyStore");
        }
        if (keyPasswordElement == null) {
            throw new AxisFault("Cannot proceed because KeyPassword element is missing in KeyStore");
        }
        String storePassword = SecureVaultValueReader.getSecureVaultValue(resolver, passwordElement);
        String keyPassword = SecureVaultValueReader.getSecureVaultValue(resolver, keyPasswordElement);
        FileInputStream fis = null;
        try {
            KeyStore keyStore = KeyStore.getInstance(type);
            fis = new FileInputStream(location);
            if (log.isDebugEnabled()) {
                log.debug(name + " Loading Identity Keystore from : " + location);
            }
            keyStore.load(fis, storePassword.toCharArray());
            KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmfactory.init(keyStore, keyPassword.toCharArray());
            keymanagers = kmfactory.getKeyManagers();
        } catch (GeneralSecurityException gse) {
            log.error(name + " Error loading Keystore : " + location, gse);
            throw new AxisFault("Error loading Keystore : " + location, gse);
        } catch (IOException ioe) {
            log.error(name + " Error opening Keystore : " + location, ioe);
            throw new AxisFault("Error opening Keystore : " + location, ioe);
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (IOException ignore) {
                }
            }
        }
    }
    if (trustStoreElt != null) {
        if (novalidatecert && log.isWarnEnabled()) {
            log.warn(name + " Ignoring novalidatecert parameter since a truststore has been specified");
        }
        String location = trustStoreElt.getFirstChildWithName(new QName("Location")).getText();
        String type = trustStoreElt.getFirstChildWithName(new QName("Type")).getText();
        OMElement passwordElement = trustStoreElt.getFirstChildWithName(new QName("Password"));
        if (passwordElement == null) {
            throw new AxisFault("Cannot proceed because Password element is missing in TrustStore");
        }
        String storePassword = SecureVaultValueReader.getSecureVaultValue(resolver, passwordElement);
        FileInputStream fis = null;
        try {
            KeyStore trustStore = KeyStore.getInstance(type);
            fis = new FileInputStream(location);
            if (log.isDebugEnabled()) {
                log.debug(name + " Loading Trust Keystore from : " + location);
            }
            trustStore.load(fis, storePassword.toCharArray());
            TrustManagerFactory trustManagerfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerfactory.init(trustStore);
            trustManagers = trustManagerfactory.getTrustManagers();
        } catch (GeneralSecurityException gse) {
            log.error(name + " Error loading Key store : " + location, gse);
            throw new AxisFault("Error loading Key store : " + location, gse);
        } catch (IOException ioe) {
            log.error(name + " Error opening Key store : " + location, ioe);
            throw new AxisFault("Error opening Key store : " + location, ioe);
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (IOException ignore) {
                }
            }
        }
    } else if (novalidatecert) {
        if (log.isWarnEnabled()) {
            log.warn(name + " Server certificate validation (trust) has been disabled. " + "DO NOT USE IN PRODUCTION!");
        }
        trustManagers = new TrustManager[] { new NoValidateCertTrustManager() };
    }
    try {
        final Parameter sslpParameter = transportOut.getParameter("SSLProtocol");
        final String sslProtocol = sslpParameter != null ? sslpParameter.getValue().toString() : "TLS";
        SSLContext sslcontext = SSLContext.getInstance(sslProtocol);
        sslcontext.init(keymanagers, trustManagers, null);
        return sslcontext;
    } catch (GeneralSecurityException gse) {
        log.error(name + " Unable to create SSL context with the given configuration", gse);
        throw new AxisFault("Unable to create SSL context with the given configuration", gse);
    }
}
Also used : AxisFault(org.apache.axis2.AxisFault) QName(javax.xml.namespace.QName) GeneralSecurityException(java.security.GeneralSecurityException) OMElement(org.apache.axiom.om.OMElement) IOException(java.io.IOException) SSLContext(javax.net.ssl.SSLContext) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) TrustManager(javax.net.ssl.TrustManager) NoValidateCertTrustManager(org.apache.synapse.transport.nhttp.NoValidateCertTrustManager) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) NoValidateCertTrustManager(org.apache.synapse.transport.nhttp.NoValidateCertTrustManager) SecretResolver(org.wso2.securevault.SecretResolver) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) Parameter(org.apache.axis2.description.Parameter) KeyManager(javax.net.ssl.KeyManager)

Example 13 with SecretResolver

use of org.wso2.securevault.SecretResolver in project wso2-synapse by wso2.

the class VFSTransportListener method generateSecureVaultProperties.

/**
 * Helper method to generate securevault properties from given transport configuration.
 *
 * @param inDescription
 * @return properties
 */
private Properties generateSecureVaultProperties(TransportInDescription inDescription) {
    Properties properties = new Properties();
    SecretResolver secretResolver = getConfigurationContext().getAxisConfiguration().getSecretResolver();
    for (Parameter parameter : inDescription.getParameters()) {
        String propertyValue = parameter.getValue().toString();
        OMElement paramElement = parameter.getParameterElement();
        if (paramElement != null) {
            if (secretResolver == null) {
                throw new SecureVaultException("Cannot resolve secret password because axis2 secret resolver " + "is null");
            }
            propertyValue = MiscellaneousUtil.resolve(paramElement, secretResolver);
        }
        properties.setProperty(parameter.getName().toString(), propertyValue);
    }
    return properties;
}
Also used : SecretResolver(org.wso2.securevault.SecretResolver) SecureVaultException(org.wso2.securevault.SecureVaultException) Parameter(org.apache.axis2.description.Parameter) OMElement(org.apache.axiom.om.OMElement) Properties(java.util.Properties)

Example 14 with SecretResolver

use of org.wso2.securevault.SecretResolver in project carbon-business-process by wso2.

the class BPSAnalyticsConfiguration method initConfigurationFromFile.

/**
 * Initialize the configuration object from the properties in the BPS Analytics config xml file.
 */
private void initConfigurationFromFile(File BPSAnalyticsConfigurationFile) {
    SecretResolver secretResolver = null;
    try (InputStream in = new FileInputStream(BPSAnalyticsConfigurationFile)) {
        StAXOMBuilder builder = new StAXOMBuilder(in);
        secretResolver = SecretResolverFactory.create(builder.getDocumentElement(), true);
    } catch (Exception e) {
        log.warn("Error occurred while retrieving secured BPS Analytics configuration.", e);
    }
    TBPSAnalytics tBPSAnalytics = bpsAnalyticsDocument.getBPSAnalytics();
    if (tBPSAnalytics == null) {
        return;
    }
    if (tBPSAnalytics.getAnalyticServer() != null) {
        initAnalytics(secretResolver, tBPSAnalytics.getAnalyticServer());
    }
    if (tBPSAnalytics.getBPMN() != null) {
        initBPMNAnalytics(tBPSAnalytics.getBPMN());
    }
}
Also used : SecretResolver(org.wso2.securevault.SecretResolver) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) StAXOMBuilder(org.apache.axiom.om.impl.builder.StAXOMBuilder) FileInputStream(java.io.FileInputStream) IOException(java.io.IOException) FileNotFoundException(java.io.FileNotFoundException) XmlException(org.apache.xmlbeans.XmlException) TBPSAnalytics(org.wso2.carbon.bps.common.analytics.config.TBPSAnalytics)

Example 15 with SecretResolver

use of org.wso2.securevault.SecretResolver in project carbon-business-process by wso2.

the class UnifiedEndpointFactory method createEndpoint.

public UnifiedEndpoint createEndpoint(OMElement uEPConfigEle) throws AxisFault {
    UnifiedEndpoint unifiedEndpoint = new UnifiedEndpoint();
    EndpointReferenceHelper.fromOM(unifiedEndpoint, uEPConfigEle, AddressingConstants.Final.WSA_NAMESPACE);
    OMElement metadataElem = uEPConfigEle.getFirstChildWithName(UnifiedEndpointConstants.METADATA_Q);
    if (metadataElem != null) {
        OMElement idElem = metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_ID_Q);
        if (idElem != null) {
            unifiedEndpoint.setUepId(idElem.getText());
        } else {
            log.error("UEP Configuration violation: " + UnifiedEndpointConstants.METADATA_ID_Q + " not found");
        }
        /**
         * Discovery
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_DISCOVERY_Q) != null) {
            extractDiscoveryConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_DISCOVERY_Q));
        }
        /**
         * Timeout
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TIMEOUT_Q) != null) {
            extractTimeoutConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TIMEOUT_Q));
        }
        /**
         * WSDL Definitions
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_WSDL11_DEFINITIONS_Q) != null) {
            unifiedEndpoint.setWsdl11Definitions(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.METADATA_WSDL11_DEFINITIONS_Q));
        }
        /**
         * MessageOutput
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MESSAGE_OUTPUT_Q) != null) {
            extractMessageOutPutConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MESSAGE_OUTPUT_Q));
        }
        /**
         * Transport
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q) != null) {
            extractTransportConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q));
            if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_USERNAME_Q) != null) {
                unifiedEndpoint.setAuthorizationUserName(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_USERNAME_Q).getText());
            }
            if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q) != null) {
                OMElement transport_auth_password = metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q);
                String secretAlias = transport_auth_password.getAttributeValue(new QName(UnifiedEndpointConstants.SECURE_VAULT_NS, UnifiedEndpointConstants.SECRET_ALIAS_ATTR_NAME));
                if (secretAlias != null && secretAlias.trim().length() > 0) {
                    secretAlias = secretAlias.trim();
                    SecretResolver secretResolver = SecretResolverFactory.create(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q), false);
                    /* Setting the secured password */
                    if (secretResolver != null && secretResolver.isInitialized() && secretResolver.isTokenProtected(secretAlias)) {
                        String adminPassword = secretResolver.resolve(secretAlias);
                        unifiedEndpoint.setAuthorizationPassword(adminPassword);
                    } else {
                        /* If secure vault is not configured properly, Reading plain text password */
                        unifiedEndpoint.setAuthorizationPassword(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q).getText());
                    }
                } else {
                    unifiedEndpoint.setAuthorizationPassword(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_Q).getFirstChildWithName(UnifiedEndpointConstants.TRANSPORT_AUTHORIZATION_PASSWORD_Q).getText());
                }
            }
        }
        /**
         * Monitoring
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MONITORING_Q) != null) {
            extractMetadataMonitoringConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.MONITORING_Q));
        }
        /**
         * QoS
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.QOS_Q) != null) {
            extractQoSConfig(unifiedEndpoint, metadataElem.getFirstChildWithName(UnifiedEndpointConstants.QOS_Q));
        }
        /**
         * Session
         */
        if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q) != null) {
            if (metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q).getAttributeValue(UnifiedEndpointConstants.SESSION_TYPE_Q) != null) {
                unifiedEndpoint.setSessionType(metadataElem.getFirstChildWithName(UnifiedEndpointConstants.SESSION_Q).getAttributeValue(UnifiedEndpointConstants.SESSION_TYPE_Q));
            }
        }
    }
    return unifiedEndpoint;
}
Also used : SecretResolver(org.wso2.securevault.SecretResolver) QName(javax.xml.namespace.QName) OMElement(org.apache.axiom.om.OMElement)

Aggregations

SecretResolver (org.wso2.securevault.SecretResolver)17 OMElement (org.apache.axiom.om.OMElement)15 QName (javax.xml.namespace.QName)13 Iterator (java.util.Iterator)7 StAXOMBuilder (org.apache.axiom.om.impl.builder.StAXOMBuilder)7 Parameter (org.apache.axis2.description.Parameter)7 Properties (java.util.Properties)6 AxisFault (org.apache.axis2.AxisFault)6 IOException (java.io.IOException)5 HashMap (java.util.HashMap)5 FileInputStream (java.io.FileInputStream)4 InputStream (java.io.InputStream)4 LinkedHashMap (java.util.LinkedHashMap)3 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)3 XmlException (org.apache.xmlbeans.XmlException)3 APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)3 GatewayArtifactSynchronizerProperties (org.wso2.carbon.apimgt.impl.dto.GatewayArtifactSynchronizerProperties)3 ThrottleProperties (org.wso2.carbon.apimgt.impl.dto.ThrottleProperties)3 WorkflowProperties (org.wso2.carbon.apimgt.impl.dto.WorkflowProperties)3 FileNotFoundException (java.io.FileNotFoundException)2