gresockj commented on a change in pull request #4986: URL: https://github.com/apache/nifi/pull/4986#discussion_r613342402
########## File path: nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.java ########## @@ -0,0 +1,191 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.bootstrap.util; + +import org.apache.commons.lang3.tuple.ImmutablePair; +import org.apache.commons.lang3.tuple.Pair; +import org.apache.nifi.security.util.KeyStoreUtils; +import org.apache.nifi.security.util.StandardTlsConfiguration; +import org.apache.nifi.security.util.TlsConfiguration; +import org.apache.nifi.util.NiFiProperties; +import org.bouncycastle.util.IPAddress; +import org.slf4j.Logger; + +import java.io.File; +import java.io.FileReader; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.StandardCopyOption; +import java.security.GeneralSecurityException; +import java.util.HashSet; +import java.util.List; +import java.util.Properties; +import java.util.Set; +import java.util.stream.Collectors; + +public class SecureNiFiConfigUtil { + + private static final int CERT_DURATION_DAYS = 60; + public static final String LOCALHOST_IP = "127.0.0.1"; + private static final String LOCALHOST_NAME = "localhost"; + + private SecureNiFiConfigUtil() { + + } + + /** + * If HTTPS is enabled (nifi.web.https.port is set), but the keystore file specified in nifi.security.keystore + * does not exist, this will generate a key pair and self-signed certificate, generate the associated keystore + * and truststore and write them to disk under the configured filepaths, generate a secure random keystore password + * and truststore password, and write these to the nifi.properties file. + * @param nifiPropertiesFilename The filename of the nifi.properties file + * @param cmdLogger The bootstrap logger + * @throws IOException can be thrown when writing keystores to disk + * @throws RuntimeException indicates a security exception while generating keystores + */ + public static void configureSecureNiFiProperties(String nifiPropertiesFilename, Logger cmdLogger) throws IOException, RuntimeException { + final File propertiesFile = new File(nifiPropertiesFilename); + final Properties nifiProperties = loadProperties(propertiesFile); + + if (!nifiProperties.getProperty(NiFiProperties.WEB_HTTPS_PORT, "").isEmpty()) { + String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, ""); + String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, ""); + if (!keystorePath.isEmpty() && !truststorePath.isEmpty()) { + File keystore = new File(keystorePath); + File truststore = new File(truststorePath); + if (!keystore.exists() && !truststore.exists()) { + TlsConfiguration tlsConfiguration = null; + cmdLogger.info("Generating default self-signed certificates, keystore and truststore for secure Apache NiFi configuration. " + + "This certificate will expire in {} days, and it is recommended to acquire your own certificates in order to properly secure Apache NiFi.", CERT_DURATION_DAYS); + try { + Pair<String[], String[]> subjectAlternativeNames = getSubjectAlternativeNames(nifiProperties); + tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(StandardTlsConfiguration + .fromNiFiProperties(nifiProperties), CERT_DURATION_DAYS, subjectAlternativeNames.getLeft(), + subjectAlternativeNames.getRight()); + } catch (IOException e) { + cmdLogger.error("Encountered an I/O exception while generating secure Apache NiFi configuration.", e); + throw e; + } catch (GeneralSecurityException e) { + cmdLogger.error("Encountered a security exception while generating secure Apache NiFi configuration.", e); + throw new RuntimeException(e); + } + + // Move over the new stores from temp dir + Files.move(new File(tlsConfiguration.getKeystorePath()).toPath(), new File(keystorePath).toPath(), + StandardCopyOption.REPLACE_EXISTING); + Files.move(new File(tlsConfiguration.getTruststorePath()).toPath(), new File(truststorePath).toPath(), + StandardCopyOption.REPLACE_EXISTING); + + updateProperties(propertiesFile, tlsConfiguration); + + cmdLogger.info("Successfully generated {} and {}.", keystorePath, truststorePath); + } else if (!keystore.exists() && truststore.exists()) { + cmdLogger.error("Tried to generate keystore {} for secure Apache NiFi configuration, but truststore file {} already exists. Aborting.", + keystorePath, truststorePath); + throw new RuntimeException("Will not generate keystore and truststore separately."); + } else if (keystore.exists() && !truststore.exists()) { + cmdLogger.error("Tried to generate truststore {} for secure Apache NiFi configuration, but keystore file {} already exists. Aborting.", + truststorePath, keystorePath); + throw new RuntimeException("Will not generate keystore and truststore separately."); + } else { + cmdLogger.info("Existing keystore and truststore detected: skipping Apache Nifi certificate generation."); + } + } else { + cmdLogger.warn("HTTPS is configured, but keystore and truststore are not specified. This will result in an invalid configuration."); + } + } else { + cmdLogger.info("No HTTPS configuration detected: skipping Apache Nifi certificate generation."); + } + } + + /** + * Attempts to add some reasonable guesses at desired SAN values that can be added to the generated + * certificate. + * @param nifiProperties The nifi.properties + * @return A Pair with IP SANs on the left and DNS SANs on the right + */ + private static Pair<String[], String[]> getSubjectAlternativeNames(Properties nifiProperties) { + Set<String> ipSubjectAlternativeNames = new HashSet<>(); + Set<String> dnsSubjectAlternativeNames = new HashSet<>(); + + try { + ipSubjectAlternativeNames.add(InetAddress.getLocalHost().getHostAddress()); + dnsSubjectAlternativeNames.add(InetAddress.getLocalHost().getHostName()); + } catch (UnknownHostException e) { + // This was just a courtesy, so we'll skip adding it + } + addSubjectAlternativeName(nifiProperties, NiFiProperties.REMOTE_INPUT_HOST, ipSubjectAlternativeNames, dnsSubjectAlternativeNames); + addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_HTTPS_HOST, ipSubjectAlternativeNames, dnsSubjectAlternativeNames); + addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_PROXY_HOST, ipSubjectAlternativeNames, dnsSubjectAlternativeNames); + addSubjectAlternativeName(nifiProperties, NiFiProperties.LOAD_BALANCE_ADDRESS, ipSubjectAlternativeNames, dnsSubjectAlternativeNames); + + // Not necessary to add as a SAN + ipSubjectAlternativeNames.remove(LOCALHOST_IP); + dnsSubjectAlternativeNames.remove(LOCALHOST_NAME); + + return new ImmutablePair<>(ipSubjectAlternativeNames.toArray(new String[ipSubjectAlternativeNames.size()]), Review comment: Sounds good, I concur with the brittleness. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
