[
https://issues.apache.org/jira/browse/NIFI-3695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15975446#comment-15975446
]
ASF GitHub Bot commented on NIFI-3695:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1669#discussion_r112304681
--- Diff:
nifi-toolkit/nifi-toolkit-admin/src/main/groovy/org/apache/nifi/toolkit/admin/client/NiFiClientFactory.groovy
---
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.toolkit.admin.client
+
+import com.sun.jersey.api.client.Client
+import com.sun.jersey.api.client.config.ClientConfig
+import com.sun.jersey.api.client.config.DefaultClientConfig
+import com.sun.jersey.client.urlconnection.HTTPSProperties
+import org.apache.commons.lang3.StringUtils
+import org.apache.nifi.util.NiFiProperties
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLPeerUnverifiedException
+import javax.net.ssl.SSLSession
+import javax.net.ssl.TrustManagerFactory
+import java.security.KeyManagementException
+import java.security.KeyStore
+import java.security.KeyStoreException
+import java.security.NoSuchAlgorithmException
+import java.security.SecureRandom
+import java.security.UnrecoverableKeyException
+import java.security.cert.Certificate
+import java.security.cert.CertificateException
+import java.security.cert.CertificateParsingException
+import java.security.cert.X509Certificate
+
+class NiFiClientFactory implements ClientFactory{
+
+ static enum NiFiAuthType{ NONE, SSL }
+
+ public Client getClient(NiFiProperties niFiProperties, String
nifiInstallDir) throws Exception {
+
+ final String authTypeStr =
StringUtils.isEmpty(niFiProperties.getProperty(NiFiProperties.WEB_HTTPS_HOST))
&&
StringUtils.isEmpty(niFiProperties.getProperty(NiFiProperties.WEB_HTTPS_PORT))
? NiFiAuthType.NONE : NiFiAuthType.SSL;
+ final NiFiAuthType authType = NiFiAuthType.valueOf(authTypeStr);
+
+ SSLContext sslContext = null;
+
+ if (NiFiAuthType.SSL.equals(authType)) {
+ String keystore =
niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE);
+ final String keystoreType =
niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
+ final String keystorePassword =
niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
+ String truststore =
niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE);
+ final String truststoreType =
niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
+ final String truststorePassword =
niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD);
+
+ if(keystore.startsWith("./")){
+ keystore = keystore.replace("./",nifiInstallDir+"/")
+ }
+ if(truststore.startsWith("./")){
+ truststore = truststore.replace("./",nifiInstallDir+"/")
+ }
+
+ sslContext = createSslContext(
+ keystore.trim(),
+ keystorePassword.trim().toCharArray(),
+ keystoreType.trim(),
+ truststore.trim(),
+ truststorePassword.trim().toCharArray(),
+ truststoreType.trim(),
+ "TLS");
+ }
+
+ final ClientConfig config = new DefaultClientConfig();
+
+ if (sslContext != null) {
+
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES,new
HTTPSProperties(new NiFiHostnameVerifier(), sslContext));
+ }
+
+ return Client.create(config);
+
+ }
+
+
+ private static SSLContext createSslContext(
+ final String keystore, final char[] keystorePasswd, final
String keystoreType,
+ final String truststore, final char[] truststorePasswd, final
String truststoreType,
+ final String protocol)
+ throws KeyStoreException, IOException,
NoSuchAlgorithmException, CertificateException,
+ UnrecoverableKeyException, KeyManagementException {
+
+ // prepare the keystore
+ final KeyStore keyStore = KeyStore.getInstance(keystoreType);
+ final InputStream keyStoreStream = new FileInputStream(keystore)
+ keyStore.load(keyStoreStream, keystorePasswd);
+
+
+ final KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ keyManagerFactory.init(keyStore, keystorePasswd);
+
+ // prepare the truststore
+ final KeyStore trustStore = KeyStore.getInstance(truststoreType);
+ final InputStream trustStoreStream = new
FileInputStream(truststore)
+ trustStore.load(trustStoreStream, truststorePasswd);
+
+ final TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustManagerFactory.init(trustStore);
+
+ // initialize the ssl context
+ final SSLContext sslContext = SSLContext.getInstance(protocol);
+ sslContext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), new SecureRandom());
+ return sslContext;
+ }
+
+ private static class NiFiHostnameVerifier implements HostnameVerifier {
+
+ @Override
+ public boolean verify(final String hostname, final SSLSession
ssls) {
+ try {
+ for (final Certificate peerCertificate :
ssls.getPeerCertificates()) {
+ if (peerCertificate instanceof X509Certificate) {
+ final X509Certificate x509Cert = (X509Certificate)
peerCertificate;
+ final List<String> subjectAltNames =
getSubjectAlternativeNames(x509Cert);
--- End diff --
The hostname should first be compared to the hostname in the subject DN of
the certificate before resorting to the SANs. There are two scenarios where
this would return incorrectly -- the cert hostname matches but no SANs match
(false negative) or the cert has no SANs (false negative). See
[`X509Certificate.getSubjectX500Principal()`](https://docs.oracle.com/javase/7/docs/api/java/security/cert/X509Certificate.html#getSubjectX500Principal())
to access the subject DN directly and
[`X500Principal.getName()`](https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName())
to extract the hostname (`CN` value) from the principal for comparison. If
this comparison fails, then check the SANs.
> Create Node Manager & Notification Utilities
> --------------------------------------------
>
> Key: NIFI-3695
> URL: https://issues.apache.org/jira/browse/NIFI-3695
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Tools and Build
> Reporter: Yolanda M. Davis
> Assignee: Yolanda M. Davis
>
> The node manager utility should allow system administrators to connect,
> disconnect or remove a node from a cluster on the command line. If a node is
> not part of a cluster an error message should display if node is not part of
> a cluster. If a node is disconnected from a cluster and needs to be
> connected or removed from that cluster the tool should support receiving a
> list of urls to connected nodes which can be used to send the required
> command to the active cluster.
> The notification utility should allow administrators to send messages as
> bulletins to the NiFi with levels of INFO, WARN or ERROR.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
