From f0359240d6f093f08eca0a077a37ab3b5b842765 Mon Sep 17 00:00:00 2001 From: Ioakeim Samaras Date: Tue, 24 Sep 2019 12:21:15 +0300 Subject: [PATCH] [UI] Support of HTTPS HTTPs with the appropriate SSL certificates is supported in order to secure the connection between the client and the UI. JIRA: VAL-54 Signed-off-by: Ioakeim Samaras Change-Id: I4fe37d98fbc5cfa45a12eef0f1af820877758f54 --- docker/README.rst | 13 +- docker/mariadb/deploy.sh | 2 + .../deploy_with_existing_persistent_storage.sh | 2 + docker/ui/bluval.crt | 13 ++ docker/ui/bluval.key | 15 +++ docker/ui/deploy.sh | 38 ++---- docker/ui/root_index.jsp | 18 +++ docker/ui/server.xml | 139 +++++++++++++++++++++ ui/CHANGELOG.md | 9 ++ ui/README.rst | 46 ++++--- ui/pom.xml | 2 +- .../ui/service/IntegratedResultService.java | 24 ++-- ui/src/main/webapp/WEB-INF/web.xml | 22 ++++ 13 files changed, 276 insertions(+), 67 deletions(-) create mode 100644 docker/ui/bluval.crt create mode 100644 docker/ui/bluval.key create mode 100644 docker/ui/root_index.jsp create mode 100644 docker/ui/server.xml diff --git a/docker/README.rst b/docker/README.rst index 2c51af0..80451d1 100644 --- a/docker/README.rst +++ b/docker/README.rst @@ -169,17 +169,18 @@ REGISTRY, the registry of the mariadb image, default value is akraino NAME, the name of the mariadb image, default value is validation TAG_PRE, the first part of the image version, default value is ui TAG_VER, the last part of the image version, default value is latest -JENKINS_URL, the URL of the Jenkins instance (http or https must be defined), this variable is required -JENKINS_USERNAME, the Jenkins user name, this variable is required -JENKINS_USER_PASSWORD, the Jenkins user password, this variable is required -JENKINS_JOB_NAME, the name of Jenkins job capable of executing the blueprint validation tests, this variable is required +JENKINS_URL, the URL of the Jenkins instance (http or https must be defined), the default value is 'https://jenkins.akraino.org/' +JENKINS_USERNAME, the Jenkins user name, the default value is 'demo' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins user) +JENKINS_USER_PASSWORD, the Jenkins user password, the default value is 'demo' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins user password) +JENKINS_JOB_NAME, the name of Jenkins job capable of executing the blueprint validation tests, the default value is 'validation' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins job name) NEXUS_PROXY, the needed proxy in order for the Nexus server to be reachable, default value is none JENKINS_PROXY, the needed proxy in order for the Jenkins server to be reachable, default value is none +CERTDIR, the directory where the SSL certificates can be found, default value is the working directory where self signed certificates exist only for demo purposes Note that, for a functional UI, the following prerequisites are needed: - The mariadb container in up and running state -- A Jenkins instance capable of running the blueprint validation test +- A Jenkins instance capable of running the blueprint validation test (this is optional and is needed only for UI full control loop mode) - A Nexus repo in which all the test results are stored. More info can be found at the UI README file. @@ -191,7 +192,7 @@ Example (assuming the default variables have been utilized for building the imag .. code-block:: console cd validation/docker/ui - ./deploy.sh DB_IP_PORT=172.17.0.3:3306 MARIADB_AKRAINO_PASSWORD=akraino_password JENKINS_URL=http://192.168.2.2:8080 JENKINS_USERNAME=name JENKINS_USER_PASSWORD=jenkins_pwd JENKINS_JOB_NAME=job1 + ./deploy.sh DB_IP_PORT=172.17.0.3:3306 MARIADB_AKRAINO_PASSWORD=akraino_password The kube-conformance container ============================== diff --git a/docker/mariadb/deploy.sh b/docker/mariadb/deploy.sh index df7bcc6..ea48b54 100755 --- a/docker/mariadb/deploy.sh +++ b/docker/mariadb/deploy.sh @@ -16,6 +16,8 @@ # Use this script if the persistent storage does not exist +set -ex + DOCKER_VOLUME_NAME="akraino-validation-mariadb" # Container name CONTAINER_NAME="akraino-validation-mariadb" diff --git a/docker/mariadb/deploy_with_existing_persistent_storage.sh b/docker/mariadb/deploy_with_existing_persistent_storage.sh index b109300..c38ee24 100755 --- a/docker/mariadb/deploy_with_existing_persistent_storage.sh +++ b/docker/mariadb/deploy_with_existing_persistent_storage.sh @@ -16,6 +16,8 @@ # Use this script if the persistent storage already exists and you want to use its data +set -ex + DOCKER_VOLUME_NAME="akraino-validation-mariadb" # Container name CONTAINER_NAME="akraino-validation-mariadb" diff --git a/docker/ui/bluval.crt b/docker/ui/bluval.crt new file mode 100644 index 0000000..5c52ec3 --- /dev/null +++ b/docker/ui/bluval.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICDDCCAXUCFDAcQKQ5fjn4ychr842t+36KyYOjMA0GCSqGSIb3DQEBCwUAMEUx +CzAJBgNVBAYTAkdSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTkwOTIzMTQ0NjQ3WhcNMjAwOTIyMTQ0 +NjQ3WjBFMQswCQYDVQQGEwJHUjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQC2fdHMv0uDqQf9DpiHcjNVd6ulo8I8rlg2MvHQyKefridEqE/g5gSA +Pup7lTkC/JupxJsu0SPKEsioz4JcIJSg6WeVBHD6AgqJlKnnG+Y0uBijRDFZteQr +xgEtWt5Q0qZyqn4KlBlXpnb5YhPhbfE9QnqkPa3J1Rho7a6TG9TLrwIDAQABMA0G +CSqGSIb3DQEBCwUAA4GBAJnM7Rk40ohvL8+O/PObnEvlWUigH4fPei1mYEn6sEDs +ZNRFDQ1PoaIvs3XZc4VfaOksHspj5NP5ESWG61HQ573PvbpRs/CXCdnUSbHvCw8N +ZtkZRPwWP2M2H5UdrvErpsrTCESu8dpIURtj2pt7YNN1Yx2GZ5yD4gORYTMBDPv3 +-----END CERTIFICATE----- diff --git a/docker/ui/bluval.key b/docker/ui/bluval.key new file mode 100644 index 0000000..9f9d0cc --- /dev/null +++ b/docker/ui/bluval.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWAIBAAKBgQC2fdHMv0uDqQf9DpiHcjNVd6ulo8I8rlg2MvHQyKefridEqE/g +5gSAPup7lTkC/JupxJsu0SPKEsioz4JcIJSg6WeVBHD6AgqJlKnnG+Y0uBijRDFZ +teQrxgEtWt5Q0qZyqn4KlBlXpnb5YhPhbfE9QnqkPa3J1Rho7a6TG9TLrwIDAQAB +An8xL7hcdzLjSavdiRGTcDRl1NtuybSQpm0gLpr+qxaC822iE7tz4otUBaEtrgqv +w2YxW8x30ebTkDyFQ2jfa+ijAXcBVU8yEbW/2XdL+yw8uRLLKTx3m+qZwG5G9aS5 +lvmKybpX+QV81AO83A2XJywcWS/CIu0bQ53KoG8ybe1hAkEA6ArFjuirZVHC1zoP +yziNyENxZnmdCqFZfQkz4f+jnyl2S8vCPe02LC5FlvT5WX/eyLbuqroVP71GSfSm +iSaXEQJBAMlVWXvJIK+fenYlGHBTzGzTR0HH9OUzM/rwcnV0QL3gq6B6JFiHLSqB +9wr4Iq1wY/bOcZfVH3iz+O0XVPZktr8CQHSCBBPvSy/CT7xVUNzO9pGZG3VCltFh +llcrqbtN6k/eN6FzG4KQemTQjuxu8Ew54hiRkWBzsnugg4xapMu0bqECQCPfVjNN +EcrY8nvsfh89fxYAyxh4ZTUVW3ShtPMihIqQZmQQfzta0nxZbcgBkEQw207VV74C +1jmub3LnDldceIcCP2dP2MmTUl1VCPXaZeWmw6yKIPCKpVnvL+bnIctHfhYR8vOp +b4PBcWLRPmSZgj9FY/H7Nu3EKWq67ROvamf+WA== +-----END RSA PRIVATE KEY----- diff --git a/docker/ui/deploy.sh b/docker/ui/deploy.sh index c1be674..388cb9c 100755 --- a/docker/ui/deploy.sh +++ b/docker/ui/deploy.sh @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +set -ex + # Container name CONTAINER_NAME="akraino-validation-ui" # Image data @@ -23,13 +25,14 @@ TAG_PRE=ui TAG_VER=latest # Container input parameters MARIADB_AKRAINO_PASSWORD="" -JENKINS_URL="" -JENKINS_USERNAME="" -JENKINS_USER_PASSWORD="" -JENKINS_JOB_NAME="" +JENKINS_URL="https://jenkins.akraino.org/" +JENKINS_USERNAME="demo" +JENKINS_USER_PASSWORD="demo" +JENKINS_JOB_NAME="validation" DB_IP_PORT="" NEXUS_PROXY="" JENKINS_PROXY="" +CERTDIR=$(pwd) for ARGUMENT in "$@" do @@ -49,6 +52,7 @@ do CONTAINER_NAME) CONTAINER_NAME=${VALUE} ;; NEXUS_PROXY) NEXUS_PROXY=${VALUE} ;; JENKINS_PROXY) JENKINS_PROXY=${VALUE} ;; + CERTDIR) CERTDIR=${VALUE} ;; *) esac done @@ -65,30 +69,6 @@ if [ -z "$MARIADB_AKRAINO_PASSWORD" ] exit 1 fi -if [ -z "$JENKINS_URL" ] - then - echo "ERROR: You must specify the Jenkins Url" - exit 1 -fi - -if [ -z "$JENKINS_USERNAME" ] - then - echo "ERROR: You must specify the Jenkins username" - exit 1 -fi - -if [ -z "$JENKINS_USER_PASSWORD" ] - then - echo "ERROR: You must specify the Jenkins user password" - exit 1 -fi - -if [ -z "$JENKINS_JOB_NAME" ] - then - echo "ERROR: You must specify the Jenkins job name" - exit 1 -fi - IMAGE="$REGISTRY"/"$NAME":"$TAG_PRE"-"$TAG_VER" -docker run --detach --name $CONTAINER_NAME --network="host" -e DB_IP_PORT="$DB_IP_PORT" -e MARIADB_AKRAINO_PASSWORD="$MARIADB_AKRAINO_PASSWORD" -e JENKINS_URL="$JENKINS_URL" -e JENKINS_USERNAME="$JENKINS_USERNAME" -e JENKINS_USER_PASSWORD="$JENKINS_USER_PASSWORD" -e JENKINS_JOB_NAME="$JENKINS_JOB_NAME" -e NEXUS_PROXY="$NEXUS_PROXY" -e JENKINS_PROXY="$JENKINS_PROXY" $IMAGE +docker run --detach --name $CONTAINER_NAME --network="host" -v "$(pwd)/server.xml:/usr/local/tomcat/conf/server.xml" -v "$CERTDIR/bluval.key:/usr/local/tomcat/bluval.key" -v "$CERTDIR/bluval.crt:/usr/local/tomcat/bluval.crt" -v "$(pwd)/root_index.jsp:/usr/local/tomcat/webapps/ROOT/index.jsp" -e DB_IP_PORT="$DB_IP_PORT" -e MARIADB_AKRAINO_PASSWORD="$MARIADB_AKRAINO_PASSWORD" -e JENKINS_URL="$JENKINS_URL" -e JENKINS_USERNAME="$JENKINS_USERNAME" -e JENKINS_USER_PASSWORD="$JENKINS_USER_PASSWORD" -e JENKINS_JOB_NAME="$JENKINS_JOB_NAME" -e NEXUS_PROXY="$NEXUS_PROXY" -e JENKINS_PROXY="$JENKINS_PROXY" $IMAGE sleep 10 diff --git a/docker/ui/root_index.jsp b/docker/ui/root_index.jsp new file mode 100644 index 0000000..d502950 --- /dev/null +++ b/docker/ui/root_index.jsp @@ -0,0 +1,18 @@ +<%-- +Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--%> + +<% response.sendRedirect("/bluvalui"); %> + diff --git a/docker/ui/server.xml b/docker/ui/server.xml new file mode 100644 index 0000000..969d62b --- /dev/null +++ b/docker/ui/server.xml @@ -0,0 +1,139 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md index 75cde42..c1343fe 100644 --- a/ui/CHANGELOG.md +++ b/ui/CHANGELOG.md @@ -173,3 +173,12 @@ All notable changes to this project will be documented in this file. - The UI searches for results only under the 'bluval_results' directory in Nexus ### Removed + +## [0.3.2-SNAPSHOT] - 24 September 2019 +### Added +- Redirection of all HTTP requests to the corresponding HTTPS resource. + +### Changed + +### Removed + diff --git a/ui/README.rst b/ui/README.rst index 6b32a34..41b9a16 100644 --- a/ui/README.rst +++ b/ui/README.rst @@ -384,9 +384,16 @@ Compiling Deploying ~~~~~~~~~ -The pom.xml file supports the building of an appropriate container image using the produced war file. Also, a script has been developed, namely validation/docker/ui/deploy.sh which easily deploys the container. +The pom.xml file supports the building of an appropriate container image using the produced war file. -This script accepts the following as input parameters: +In order to build the image, the following commands should be executed: + +.. code-block:: console + + cd validation/ui + mvn docker:build -Ddocker.filter=akraino/validation:dev-ui-latest + +Also, a script has been developed, namely validation/docker/ui/deploy.sh which easily deploys the container. This script accepts the following as input parameters: CONTAINER_NAME, the name of the contaner, default value is akraino-validation-ui DB_IP_PORT, the IP and port of the maridb instance, this variable is required @@ -395,29 +402,25 @@ REGISTRY, the registry of the mariadb image, default value is akraino NAME, the name of the mariadb image, default value is validation TAG_PRE, the first part of the image version, default value is ui TAG_VER, the last part of the image version, default value is latest -JENKINS_URL, the URL of the Jenkins instance (http or https must be defined), this variable is required -JENKINS_USERNAME, the Jenkins user name, this variable is required -JENKINS_USER_PASSWORD, the Jenkins user password, this variable is required -JENKINS_JOB_NAME, the name of Jenkins job capable of executing the blueprint validation tests, this variable is required +JENKINS_URL, the URL of the Jenkins instance (http or https must be defined), the default value is 'https://jenkins.akraino.org/' +JENKINS_USERNAME, the Jenkins user name, the default value is 'demo' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins user) +JENKINS_USER_PASSWORD, the Jenkins user password, the default value is 'demo' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins user password) +JENKINS_JOB_NAME, the name of Jenkins job capable of executing the blueprint validation tests, the default value is 'validation' (in the context of UI full control loop mode, this parameter must be changed to include a real Jenkins job name) NEXUS_PROXY, the needed proxy in order for the Nexus server to be reachable, default value is none JENKINS_PROXY, the needed proxy in order for the Jenkins server to be reachable, default value is none +CERTDIR, the directory where the SSL certificates can be found, default value is the working directory where self signed certificates exist only for demo purposes -In order to build the image using only the required parameters, the following data is needed: +So, for a functional UI, the following prerequisites are needed: -- The mariadb akraino user password (look at the Database subsection) -- The IP and port of the mariadb -- The Jenkins url -- The Jenkins username and password -- The name of Jenkins Job +- The mariadb container in up and running state +- A Jenkins instance capable of running the blueprint validation test (this is optional and is needed only for UI full control loop mode) +- A Nexus repo in which all the test results are stored. -Then, the following commands can be executed in order to build and deploy the UI container: +Then, the following commands can be executed in order to deploy the UI container: .. code-block:: console - - cd validation/ui - mvn docker:build -Ddocker.filter=akraino/validation:dev-ui-latest cd ../docker/ui - ./deploy.sh TAG_PRE=dev-ui DB_IP_PORT= MARIADB_AKRAINO_PASSWORD= JENKINS_URL= JENKINS_USERNAME= JENKINS_USER_PASSWORD= JENKINS_JOB_NAME= + ./deploy.sh TAG_PRE=dev-ui DB_IP_PORT= MARIADB_AKRAINO_PASSWORD= The content of the DB_IP_PORT can be for example '172.17.0.3:3306'. @@ -427,9 +430,14 @@ If no proxy exists, the proxy ip and port variables should not be defined. The UI should be available in the following url: - http://localhost:8080/bluvalui/ + https://localhost:8443/bluvalui/ + +Note that the deployment uses the network host mode, so the ports 8080 and 8443 must be available on the host. -Note that the deployment uses the network host mode, so the 8080 must be available on the host. +As far as the SSL certificates are concerned, self-signed built-in certificates exist in the 'validation/docker/ui' directory which are used by default. It should be noted that these +certificates should be used only for demo purposes. If a user wants to use different ones which are more appropriate for a production environment, the directory that contains these new +certificates must be defined using the 'CERTDIR' parameter of the 'validation/docker/ui/deploy.sh' script. It should be noted that the certificates must have specific names, that are 'bluval.crt' +and 'bluval.key' for the certificate and the key respectively. User's guide ----------------- diff --git a/ui/pom.xml b/ui/pom.xml index 2a6973c..6cdbc38 100644 --- a/ui/pom.xml +++ b/ui/pom.xml @@ -14,7 +14,7 @@ org.akraino.validation ui - 0.3.1-SNAPSHOT + 0.3.2-SNAPSHOT Bluval UI Maven Webapp war diff --git a/ui/src/main/java/org/akraino/validation/ui/service/IntegratedResultService.java b/ui/src/main/java/org/akraino/validation/ui/service/IntegratedResultService.java index 965a78c..555b948 100644 --- a/ui/src/main/java/org/akraino/validation/ui/service/IntegratedResultService.java +++ b/ui/src/main/java/org/akraino/validation/ui/service/IntegratedResultService.java @@ -147,11 +147,11 @@ public class IntegratedResultService { throw new IllegalArgumentException("Could not retrieve lab : " + lab.toString()); } ValidationDbTestResult vNexusResult = nexusService.getResult(name, version, labInfo.getSilo(), timestamp); - if (!dbAdapter.checkValidityOfNexusResult(vNexusResult)) { - return null; + if (vNexusResult != null && dbAdapter.checkValidityOfNexusResult(vNexusResult)) { + vNexusResult.setLab(labInfo); + return vNexusResult; } - vNexusResult.setLab(labInfo); - return vNexusResult; + return null; } public ValidationDbTestResult getLastResultBasedOnOutcomeFromNexus(@Nonnull String name, @Nonnull String version, @@ -164,11 +164,11 @@ public class IntegratedResultService { } ValidationDbTestResult vNexusResult = nexusService.getLastResultBasedOnOutcome(name, version, labInfo.getSilo(), allLayers, optional, outcome); - if (!dbAdapter.checkValidityOfNexusResult(vNexusResult)) { - return null; + if (vNexusResult != null && dbAdapter.checkValidityOfNexusResult(vNexusResult)) { + vNexusResult.setLab(labInfo); + return vNexusResult; } - vNexusResult.setLab(labInfo); - return vNexusResult; + return null; } public ValidationDbTestResult getLastResultBasedOnOutcomeFromNexus(@Nonnull String name, @Nonnull String version, @@ -181,11 +181,11 @@ public class IntegratedResultService { } ValidationDbTestResult vNexusResult = nexusService.getLastResultBasedOnOutcome(name, version, labInfo.getSilo(), layers, optional, outcome); - if (!dbAdapter.checkValidityOfNexusResult(vNexusResult)) { - return null; + if (vNexusResult != null && dbAdapter.checkValidityOfNexusResult(vNexusResult)) { + vNexusResult.setLab(labInfo); + return vNexusResult; } - vNexusResult.setLab(labInfo); - return vNexusResult; + return null; } public List getBasedOnDateFromNexus(@Nonnull String name, @Nonnull String version, diff --git a/ui/src/main/webapp/WEB-INF/web.xml b/ui/src/main/webapp/WEB-INF/web.xml index 2071632..6fd8b99 100644 --- a/ui/src/main/webapp/WEB-INF/web.xml +++ b/ui/src/main/webapp/WEB-INF/web.xml @@ -45,4 +45,26 @@ /WEB-INF/jsp/error.jsp + + + + HTTPSOnly + /* + + + CONFIDENTIAL + + + + + HTTPSOrHTTP + *.ico + /img/* + /css/* + + + NONE + + + \ No newline at end of file -- 2.16.6