NIFI-8298 Refactored Kerberos and Socket classes from security-utils to new modules

- Created nifi-security-socket-ssl
- Created nifi-security-kerberos
- Removed nifi-security-utils dependency from nifi-processor-utils
- Updated modules to reference new dependencies
- Eliminated unnecessary transitive dependencies on bcprov-jdk15on from over 30 modules

Signed-off-by: Nathan Gough <thenatog@gmail.com>

This closes #4881.

nifi-commons/nifi-security-kerberos/pom.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.nifi</groupId>
+        <artifactId>nifi-commons</artifactId>
+        <version>1.14.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>nifi-security-kerberos</artifactId>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-api</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.11</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>hadoop-minikdc</artifactId>
+            <version>3.1.0</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

nifi-commons/nifi-security-socket-ssl/pom.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.nifi</groupId>
+        <artifactId>nifi-commons</artifactId>
+        <version>1.14.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>nifi-security-socket-ssl</artifactId>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-utils</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+    </dependencies>
+</project>

nifi-commons/nifi-security-socket-ssl/src/main/java/org/apache/nifi/remote/io/socket/ssl/SSLSocketChannel.java

@@ -19,7 +19,6 @@ package org.apache.nifi.remote.io.socket.ssl;
 import org.apache.nifi.remote.exception.TransmissionDisabledException;
 import org.apache.nifi.remote.io.socket.BufferStateManager;
 import org.apache.nifi.remote.io.socket.BufferStateManager.Direction;
-import org.apache.nifi.security.util.CertificateUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -184,9 +183,14 @@ public class SSLSocketChannel implements Closeable {
             throw new SSLPeerUnverifiedException("No certificates found");
         }
 
-        final X509Certificate cert = CertificateUtils.convertAbstractX509Certificate(certs[0]);
-        cert.checkValidity();
-        return cert.getSubjectDN().getName().trim();
+        final Certificate certificate = certs[0];
+        if (certificate instanceof X509Certificate) {
+            final X509Certificate peerCertificate = (X509Certificate) certificate;
+            peerCertificate.checkValidity();
+            return peerCertificate.getSubjectDN().getName().trim();
+        } else {
+            throw new CertificateException(String.format("X.509 Certificate class not found [%s]", certificate.getClass()));
+        }
     }
 
     private void performHandshake() throws IOException {

nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/krb/KerberosPrincipalParserSpec.groovy

@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.security.util.krb
-
-import spock.lang.Specification
-import spock.lang.Unroll
-
-class KerberosPrincipalParserSpec extends Specification {
-
-    @Unroll
-    def "Verify parsed realm from '#testPrincipal' == '#expectedRealm'"() {
-        expect:
-        KerberosPrincipalParser.getRealm(testPrincipal) == expectedRealm
-
-        where:
-        testPrincipal                     || expectedRealm
-        "user"                            || null
-        "user@"                           || null
-        "user@EXAMPLE.COM"                || "EXAMPLE.COM"
-        "user@name@EXAMPLE.COM"           || "EXAMPLE.COM"
-        "user\\@"                         || null
-        "user\\@name"                     || null
-        "user\\@name@EXAMPLE.COM"         || "EXAMPLE.COM"
-        "user@EXAMPLE.COM\\@"             || "EXAMPLE.COM\\@"
-        "user@@name@\\@@\\@"              || "\\@"
-        "user@@name@\\@@\\@@EXAMPLE.COM"  || "EXAMPLE.COM"
-        "user@@name@\\@@\\@@EXAMPLE.COM@" || null
-        "user\\@\\@name@EXAMPLE.COM"      || "EXAMPLE.COM"
-    }
-}

nifi-commons/pom.xml

@@ -37,6 +37,8 @@
         <module>nifi-record-path</module>
         <module>nifi-rocksdb-utils</module>
         <module>nifi-schema-utils</module>
+        <module>nifi-security-kerberos</module>
+        <module>nifi-security-socket-ssl</module>
         <module>nifi-security-utils-api</module>
         <module>nifi-security-utils</module>
         <module>nifi-site-to-site-client</module>

nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/pom.xml

@@ -35,6 +35,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-socket-ssl</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>

nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-services/pom.xml

@@ -62,12 +62,6 @@
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-mock</artifactId>

nifi-nar-bundles/nifi-extension-utils/nifi-hadoop-utils/pom.xml

@@ -36,7 +36,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-kerberos</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
         <dependency>

nifi-nar-bundles/nifi-extension-utils/nifi-processor-utils/pom.xml

@@ -42,7 +42,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-socket-ssl</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
         <dependency>
@@ -50,6 +50,11 @@
             <artifactId>commons-io</artifactId>
             <version>2.6</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.11</version>
+        </dependency>
         <!-- Other modules using nifi-processor-utils are expected to have this API available, typically through a NAR dependency -->
         <dependency>
             <groupId>org.apache.nifi</groupId>

nifi-nar-bundles/nifi-extension-utils/nifi-record-utils/nifi-standard-record-utils/pom.xml

@@ -35,7 +35,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-socket-ssl</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
         <!-- Other modules using nifi-standard-record-utils are expected to have these APIs available, typically through a NAR dependency -->

nifi-nar-bundles/nifi-hive-bundle/nifi-hive-processors/pom.xml

@@ -41,6 +41,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-dbcp-service-api</artifactId>

nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml

@@ -36,6 +36,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-dbcp-service-api</artifactId>

nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml

@@ -41,6 +41,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-dbcp-service-api</artifactId>

nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/pom.xml

@@ -39,11 +39,6 @@
             <artifactId>nifi-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
-            <version>1.14.0-SNAPSHOT</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.security.kerberos</groupId>
             <artifactId>spring-security-kerberos-core</artifactId>

nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/KerberosProvider.java

@@ -26,7 +26,7 @@ import org.apache.nifi.authentication.exception.IdentityAccessException;
 import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
 import org.apache.nifi.authentication.exception.ProviderCreationException;
 import org.apache.nifi.authentication.exception.ProviderDestructionException;
-import org.apache.nifi.security.util.krb.KerberosPrincipalParser;
+import org.apache.nifi.kerberos.parser.KerberosPrincipalParser;
 import org.apache.nifi.util.FormatUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

nifi-nar-bundles/nifi-kerberos-iaa-providers-bundle/nifi-kerberos-iaa-providers/src/main/java/org/apache/nifi/kerberos/parser/KerberosPrincipalParser.java

@@ -14,9 +14,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.nifi.security.util.krb;
+package org.apache.nifi.kerberos.parser;
 
-import org.apache.nifi.util.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 public class KerberosPrincipalParser {
 

nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-controller-service/pom.xml

@@ -75,9 +75,8 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-kerberos</artifactId>
             <version>1.14.0-SNAPSHOT</version>
-            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>

nifi-nar-bundles/nifi-kudu-bundle/nifi-kudu-processors/pom.xml

@@ -86,7 +86,12 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
 

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/pom.xml

@@ -70,6 +70,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-ssl-context-service-api</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-dbcp-service-bundle/nifi-dbcp-service/pom.xml

@@ -44,7 +44,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-kerberos</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
         <dependency>

nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/pom.xml

@@ -40,6 +40,11 @@
             <artifactId>nifi-processor-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-socket-ssl</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-utils</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-hadoop-dbcp-service-bundle/nifi-hadoop-dbcp-service/pom.xml

@@ -44,7 +44,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
-            <artifactId>nifi-security-utils</artifactId>
+            <artifactId>nifi-security-kerberos</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
         <dependency>

nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

@@ -49,6 +49,11 @@
             <artifactId>nifi-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-hadoop-utils</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml

@@ -52,6 +52,11 @@
             <artifactId>nifi-hadoop-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-distributed-cache-client-service-api</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-hwx-schema-registry-bundle/nifi-hwx-schema-registry-service/pom.xml

@@ -40,6 +40,11 @@ limitations under the License.
             <artifactId>nifi-utils</artifactId>
             <version>1.14.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>1.14.0-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-record</artifactId>

nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/src/main/java/org/apache/nifi/schema/inference/VolatileSchemaCache.java

@@ -19,7 +19,6 @@ package org.apache.nifi.schema.inference;
 import avro.shaded.com.google.common.annotations.VisibleForTesting;
 import com.github.benmanes.caffeine.cache.Cache;
 import com.github.benmanes.caffeine.cache.Caffeine;
-import org.apache.commons.codec.binary.Hex;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnEnabled;
@@ -37,6 +36,7 @@ import org.apache.nifi.serialization.record.type.RecordDataType;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -60,6 +60,8 @@ public class VolatileSchemaCache extends AbstractControllerService implements Re
         .defaultValue("100")
         .build();
 
+    private static final Base64.Encoder ENCODER = Base64.getEncoder().withoutPadding();
+
     private volatile Cache<String, RecordSchema> cache;
 
     @Override
@@ -127,7 +129,8 @@ public class VolatileSchemaCache extends AbstractControllerService implements Re
         }
 
         final byte[] digestBytes = digest.digest();
-        return Hex.encodeHexString(digestBytes);
+
+        return ENCODER.encodeToString(digestBytes);
     }
 
     private void computeHash(final RecordSchema schema, final MessageDigest digest) {

nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/main/java/org/apache/nifi/websocket/jetty/JettyWebSocketClient.java

@@ -16,7 +16,6 @@
  */
 package org.apache.nifi.websocket.jetty;
 
-import org.apache.commons.codec.binary.Base64;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnDisabled;
@@ -46,6 +45,7 @@ import java.io.IOException;
 import java.net.URI;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
@@ -219,7 +219,7 @@ public class JettyWebSocketClient extends AbstractJettyWebSocketService implemen
                 throw new IllegalArgumentException(AUTH_CHARSET.getDisplayName() + " was not specified.");
             }
             final Charset charset = Charset.forName(charsetName);
-            final String base64String = Base64.encodeBase64String((userName + ":" + userPassword).getBytes(charset));
+            final String base64String = Base64.getEncoder().encodeToString((userName + ":" + userPassword).getBytes(charset));
             authorizationHeader = "Basic " + base64String;
         } else {
             authorizationHeader = null;

nifi-toolkit/nifi-toolkit-cli/pom.xml

@@ -72,6 +72,11 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-security-kerberos</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.nifi.registry</groupId>
             <artifactId>nifi-registry-client</artifactId>