TAG_PRE, first part of the image version, default value is mariadb
TAG_VER, last part of the image version, default value is latest
MARIADB_HOST_PORT, port on which mariadb is exposed on host, default value is 3307
+ENCRYPTION_KEY, the key that should be used by the AES algorithm for encrypting passwords stored in database, this variable is required
In order to deploy the container, this script can be executed with the appropriate parameters.
.. code-block:: console
cd validation/docker/mariadb
- ./deploy.sh MARIADB_ROOT_PASSWORD=root_password MARIADB_AKRAINO_PASSWORD=akraino_password UI_ADMIN_PASSWORD=admin UI_AKRAINO_PASSWORD=akraino
+ ./deploy.sh MARIADB_ROOT_PASSWORD=root_password MARIADB_AKRAINO_PASSWORD=akraino_password UI_ADMIN_PASSWORD=admin UI_AKRAINO_PASSWORD=akraino ENCRYPTION_KEY=key
Also, in order to re-deploy the database (it is assumed that the corresponding mariadb container has been stopped and deleted) while the persistent storage already exists (currently, the directory /var/lib/mariadb of the host is used), a different approach should be used after the image build process.
NEXUS_PROXY, the needed proxy in order for the Nexus server to be reachable, default value is none
JENKINS_PROXY, the needed proxy in order for the Jenkins server to be reachable, default value is none
CERTDIR, the directory where the SSL certificates can be found, default value is the working directory where self signed certificates exist only for demo purposes
+ENCRYPTION_KEY, the key that should be used by the AES algorithm for encrypting passwords stored in database, this variable is required
Note that, for a functional UI, the following prerequisites are needed:
.. code-block:: console
cd validation/docker/ui
- ./deploy.sh DB_IP_PORT=172.17.0.3:3306 MARIADB_AKRAINO_PASSWORD=akraino_password
+ ./deploy.sh DB_IP_PORT=172.17.0.3:3306 MARIADB_AKRAINO_PASSWORD=akraino_password ENCRYPTION_KEY=key
The kube-conformance container
==============================
TAG_PRE, first part of the image version, default value is mariadb
TAG_VER, last part of the image version, default value is latest
MARIADB_HOST_PORT, port on which mariadb is exposed on host, default value is 3307
+ENCRYPTION_KEY, the key that should be used by the AES algorithm for encrypting passwords stored in database, this variable is required
Currently, two users are supported by the UI, namely admin (full privileges) and akraino (limited privileges). Their passwords must be defined in the database.
cd validation/ui
mvn docker:build -Ddocker.filter=akraino/validation:dev-mariadb-latest
cd ../docker/mariadb
- ./deploy.sh TAG_PRE=dev-mariadb MARIADB_ROOT_PASSWORD=<mariadb root user password> MARIADB_AKRAINO_PASSWORD=<mariadb akraino user password> UI_ADMIN_PASSWORD=<UI admin user password> UI_AKRAINO_PASSWORD=<UI akraino user password>
+ ./deploy.sh TAG_PRE=dev-mariadb MARIADB_ROOT_PASSWORD=<mariadb root user password> MARIADB_AKRAINO_PASSWORD=<mariadb akraino user password> UI_ADMIN_PASSWORD=<UI admin user password> UI_AKRAINO_PASSWORD=<UI akraino user password> ENCRYPTION_KEY=<encryption key>
mysql -p<MARIADB_AKRAINO_PASSWORD> -uakraino -h <IP of the mariadb container> < ../../ui/db-scripts/examples/initialize_db_example.sql
In order to retrieve the IP of the mariadb container, the following command should be executed:
NEXUS_PROXY, the needed proxy in order for the Nexus server to be reachable, default value is none
JENKINS_PROXY, the needed proxy in order for the Jenkins server to be reachable, default value is none
CERTDIR, the directory where the SSL certificates can be found, default value is the working directory where self signed certificates exist only for demo purposes
+ENCRYPTION_KEY, the key that should be used by the AES algorithm for encrypting passwords stored in database, this variable is required
So, for a functional UI, the following prerequisites are needed:
.. code-block:: console
cd ../docker/ui
- ./deploy.sh TAG_PRE=dev-ui DB_IP_PORT=<IP and port of the mariadb> MARIADB_AKRAINO_PASSWORD=<mariadb akraino password>
+ ./deploy.sh TAG_PRE=dev-ui DB_IP_PORT=<IP and port of the mariadb> MARIADB_AKRAINO_PASSWORD=<mariadb akraino password> ENCRYPTION_KEY=<encryption key>
-The content of the DB_IP_PORT can be for example '172.17.0.3:3306'.
+The content of the DB_IP_PORT can be for example '172.17.0.3:3306'. Also, the value of the encryption key should be the same as the value of the encryption key used in database deployment.
Furthermore, the TAG_PRE variable should be defined as the default value is 'ui' (note that the 'dev-ui' is used for development purposes - look at pom.xml file).
The UI should be available in the following url:
- https://localhost:8443/bluvalui/
+ https://<IP of UI container>:8443/bluvalui/
Note that the deployment uses the network host mode, so the ports 8080 and 8443 must be available on the host.
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
+/*
+ * Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
*
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
*/
package org.akraino.validation.ui.login;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.codec.binary.Hex;
import org.onap.portalsdk.core.auth.LoginStrategy;
import org.onap.portalsdk.core.command.LoginBean;
import org.onap.portalsdk.core.domain.RoleFunction;
import org.springframework.web.servlet.ModelAndView;
/**
- * Implements basic single-signon login strategy for open-source
- * applications when users start at Portal. Extracts an encrypted user ID
- * sent by Portal.
+ * Implements basic single-signon login strategy for open-source applications
+ * when users start at Portal. Extracts an encrypted user ID sent by Portal.
*/
public class LoginStrategyImpl extends LoginStrategy {
LoginBean commandBean = new LoginBean();
String loginId = request.getParameter("loginId");
String password = request.getParameter("password");
+ String key = System.getenv("ENCRYPTION_KEY");
+ password = aesEncrypt(password, key);
commandBean.setLoginId(loginId);
commandBean.setLoginPwd(password);
- commandBean.setUserid(loginId);
+ // commandBean.setUserid(loginId);
commandBean = loginService.findUser(commandBean,
(String) request.getAttribute(MenuProperties.MENU_PROPERTIES_FILENAME_KEY), new HashMap());
List<RoleFunction> roleFunctionList = roleService.getRoleFunctions(loginId);
}
}
+ @Override
+ public ModelAndView doExternalLogin(HttpServletRequest request, HttpServletResponse response) throws IOException {
+
+ invalidateExistingSession(request);
+
+ LoginBean commandBean = new LoginBean();
+ String loginId = request.getParameter("loginId");
+ String password = request.getParameter("password");
+ String key = System.getenv("ENCRYPTION_KEY");
+ password = aesEncrypt(password, key);
+ commandBean.setLoginId(loginId);
+ commandBean.setLoginPwd(password);
+ // commandBean.setUserid(loginId);
+ commandBean = loginService.findUser(commandBean,
+ (String) request.getAttribute(MenuProperties.MENU_PROPERTIES_FILENAME_KEY), new HashMap());
+ List<RoleFunction> roleFunctionList = roleService.getRoleFunctions(loginId);
+
+ if (commandBean.getUser() == null) {
+ String loginErrorMessage = (commandBean.getLoginErrorMessage() != null) ? commandBean.getLoginErrorMessage()
+ : "login.error.external.invalid";
+ Map<String, String> model = new HashMap<>();
+ model.put("error", loginErrorMessage);
+ return new ModelAndView("login_external", "model", model);
+ } else {
+ // store the currently logged in user's information in the session
+ UserUtils.setUserSession(request, commandBean.getUser(), commandBean.getMenu(),
+ commandBean.getBusinessDirectMenu(),
+ SystemProperties.getProperty(SystemProperties.LOGIN_METHOD_BACKDOOR), roleFunctionList);
+ initateSessionMgtHandler(request);
+ // user has been authenticated, now take them to the welcome page
+ return new ModelAndView("redirect:welcome");
+ }
+ }
+
@Override
public String getUserId(HttpServletRequest request) throws PortalAPIException {
// Check ECOMP Portal cookie
}
/**
- * Searches the request for the user-ID cookie and decrypts the value
- * using a key configured in properties
+ * Searches the request for the user-ID cookie and decrypts the value using a
+ * key configured in properties
*
* @param request HttpServletRequest
* @return User ID
/**
* Searches the request for the named cookie.
*
- * @param request HttpServletRequest
+ * @param request HttpServletRequest
* @param cookieName Name of desired cookie
* @return Cookie if found; otherwise null.
*/
return null;
}
+ private String aesEncrypt(String password, String strKey) {
+ try {
+ byte[] keyBytes = Arrays.copyOf(strKey.getBytes("ASCII"), 16);
+ SecretKey key = new SecretKeySpec(keyBytes, "AES");
+ Cipher cipher = Cipher.getInstance("AES");
+ cipher.init(Cipher.ENCRYPT_MODE, key);
+ byte[] cleartext = password.getBytes("UTF-8");
+ byte[] ciphertextBytes = cipher.doFinal(cleartext);
+ return new String(Hex.encodeHex(ciphertextBytes));
+ } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | UnsupportedEncodingException
+ | IllegalBlockSizeException | BadPaddingException e) {
+ LOGGER.error(EELFLoggerDelegate.errorLogger,
+ "Error when encrypting password key" + UserUtils.getStackTrace(e));
+ return null;
+ }
+ }
+
}
Code Review / validation.git / commitdiff