Apache/nifi
1
0
Fork 0
mirror of https://github.com/apache/nifi.git synced 2025-02-28 22:49:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

NIFI-8403: Generating Self-signed cert on startup when applicable (#4986)

Browse Source 
* NIFI-8403: Implementing auto-generated certificates for secure startup

* Adding check for passwords in SecureNiFiConfigUtil
This commit is contained in:
Joe Gresock 2021-04-27 09:34:44 -04:00 committed by GitHub
parent 525bfe00b3
commit 90c7d03ed3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 1000 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
View File

@ -16,6 +16,14 @@
*/
package org.apache.nifi.bootstrap;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.bootstrap.notification.NotificationType;
import org.apache.nifi.bootstrap.util.OSUtils;
import org.apache.nifi.bootstrap.util.SecureNiFiConfigUtil;
import org.apache.nifi.util.file.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
@ -60,12 +68,6 @@ import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.bootstrap.notification.NotificationType;
import org.apache.nifi.bootstrap.util.OSUtils;
import org.apache.nifi.util.file.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* <p>
@ -1110,6 +1112,12 @@ public class RunNiFi {
}
}
try {
SecureNiFiConfigUtil.configureSecureNiFiProperties(nifiPropsFilename, cmdLogger);
} catch (IOException | RuntimeException e) {
cmdLogger.error("Self-Signed Certificate Generation Failed", e);
}
final NiFiListener listener = new NiFiListener();
final int listenPort = listener.start(this);

212
nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.java Normal file
View File

@ -0,0 +1,212 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.bootstrap.util;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.util.NiFiProperties;
import org.bouncycastle.util.IPAddress;
import org.slf4j.Logger;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.GeneralSecurityException;
import java.time.LocalDate;
import java.time.temporal.ChronoUnit;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
public class SecureNiFiConfigUtil {
private static final int CERT_DURATION_DAYS = 60;
private static final String LOCALHOST_NAME = "localhost";
private static final String PROPERTY_VALUE_PATTERN = "%s=%s";
private SecureNiFiConfigUtil() {
}
private static boolean fileExists(String filename) {
return StringUtils.isNotEmpty(filename) && Paths.get(filename).toFile().exists();
}
/**
* Returns true only if nifi.web.https.port is set, nifi.security.keystore and nifi.security.truststore
* are both set, and both nifi.security.keystorePasswd and nifi.security.truststorePassword are NOT set.
*
* This would indicate that the user intends to auto-generate a keystore and truststore, rather than
* using their existing kestore and truststore.
* @param nifiProperties The nifi properties
* @return
*/
private static boolean isHttpsSecurityConfiguredWithEmptyPasswords(final Properties nifiProperties) {
if (StringUtils.isEmpty(nifiProperties.getProperty(NiFiProperties.WEB_HTTPS_PORT, StringUtils.EMPTY))) {
return false;
}
String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
if (StringUtils.isEmpty(keystorePath) || StringUtils.isEmpty(truststorePath)) {
return false;
}
String keystorePassword = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD, StringUtils.EMPTY);
String truststorePassword = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, StringUtils.EMPTY);
if (StringUtils.isNotEmpty(keystorePassword) || StringUtils.isNotEmpty(truststorePassword)) {
return false;
}
return true;
}
/**
* If HTTPS is enabled (nifi.web.https.port is set), but the keystore file specified in nifi.security.keystore
* does not exist, this will generate a key pair and self-signed certificate, generate the associated keystore
* and truststore and write them to disk under the configured filepaths, generate a secure random keystore password
* and truststore password, and write these to the nifi.properties file.
* @param nifiPropertiesFilename The filename of the nifi.properties file
* @param cmdLogger The bootstrap logger
* @throws IOException can be thrown when writing keystores to disk
* @throws RuntimeException indicates a security exception while generating keystores
*/
public static void configureSecureNiFiProperties(String nifiPropertiesFilename, Logger cmdLogger) throws IOException, RuntimeException {
final File propertiesFile = new File(nifiPropertiesFilename);
final Properties nifiProperties = loadProperties(propertiesFile);
if (!isHttpsSecurityConfiguredWithEmptyPasswords(nifiProperties)) {
cmdLogger.debug("Skipping Apache Nifi certificate generation.");
return;
}
String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
boolean keystoreExists = fileExists(keystorePath);
boolean truststoreExists = fileExists(truststorePath);
if (!keystoreExists && !truststoreExists) {
TlsConfiguration tlsConfiguration = null;
cmdLogger.info("Generating Self-Signed Certificate: Expires on {}", LocalDate.now().plus(CERT_DURATION_DAYS, ChronoUnit.DAYS));
try {
String[] subjectAlternativeNames = getSubjectAlternativeNames(nifiProperties, cmdLogger);
tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(StandardTlsConfiguration
.fromNiFiProperties(nifiProperties), CERT_DURATION_DAYS, subjectAlternativeNames);
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
// Move over the new stores from temp dir
Files.move(Paths.get(tlsConfiguration.getKeystorePath()), Paths.get(keystorePath),
StandardCopyOption.REPLACE_EXISTING);
Files.move(Paths.get(tlsConfiguration.getTruststorePath()), Paths.get(truststorePath),
StandardCopyOption.REPLACE_EXISTING);
updateProperties(propertiesFile, tlsConfiguration);
cmdLogger.debug("Generated Keystore [{}] Truststore [{}]", keystorePath, truststorePath);
} else if (!keystoreExists && truststoreExists) {
cmdLogger.warn("Truststore file {} already exists. Apache NiFi will not generate keystore and truststore separately.",
truststorePath);
} else if (keystoreExists && !truststoreExists) {
cmdLogger.warn("Keystore file {} already exists. Apache NiFi will not generate keystore and truststore separately.",
keystorePath);
}
}
/**
* Attempts to add some reasonable guesses at desired SAN values that can be added to the generated
* certificate.
* @param nifiProperties The nifi.properties
* @return A Pair with IP SANs on the left and DNS SANs on the right
*/
private static String[] getSubjectAlternativeNames(Properties nifiProperties, Logger cmdLogger) {
Set<String> dnsSubjectAlternativeNames = new HashSet<>();
try {
dnsSubjectAlternativeNames.add(InetAddress.getLocalHost().getHostName());
} catch (UnknownHostException e) {
cmdLogger.debug("Could not add localhost hostname as certificate SAN", e);
}
addSubjectAlternativeName(nifiProperties, NiFiProperties.REMOTE_INPUT_HOST, dnsSubjectAlternativeNames);
addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_HTTPS_HOST, dnsSubjectAlternativeNames);
addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_PROXY_HOST, dnsSubjectAlternativeNames);
addSubjectAlternativeName(nifiProperties, NiFiProperties.LOAD_BALANCE_ADDRESS, dnsSubjectAlternativeNames);
// Not necessary to add as a SAN
dnsSubjectAlternativeNames.remove(LOCALHOST_NAME);
return dnsSubjectAlternativeNames.toArray(new String[dnsSubjectAlternativeNames.size()]);
}
private static void addSubjectAlternativeName(Properties nifiProperties, String propertyName,
Set<String> dnsSubjectAlternativeNames) {
String hostValue = nifiProperties.getProperty(propertyName, StringUtils.EMPTY);
if (!hostValue.isEmpty()) {
if (!IPAddress.isValid(hostValue)) {
dnsSubjectAlternativeNames.add(hostValue);
}
}
}
private static String getPropertyLine(String name, String value) {
return String.format(PROPERTY_VALUE_PATTERN, name, value);
}
private static void updateProperties(final File propertiesFile, final TlsConfiguration tlsConfiguration) throws IOException {
final Path propertiesFilePath = propertiesFile.toPath();
final List<String> lines = Files.readAllLines(propertiesFilePath);
final List<String> updatedLines = lines.stream().map(line -> {
if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_PASSWD)) {
return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_PASSWD, tlsConfiguration.getKeystorePassword());
} else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD)) {
return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, tlsConfiguration.getTruststorePassword());
} else if (line.startsWith(NiFiProperties.SECURITY_KEY_PASSWD)) {
return getPropertyLine(NiFiProperties.SECURITY_KEY_PASSWD, tlsConfiguration.getKeystorePassword());
} else if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_TYPE)) {
return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_TYPE, tlsConfiguration.getKeystoreType().getType());
} else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_TYPE)) {
return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, tlsConfiguration.getTruststoreType().getType());
} else {
return line;
}
}).collect(Collectors.toList());
Files.write(propertiesFilePath, updatedLines);
}
private static Properties loadProperties(final File propertiesFile) {
final Properties properties = new Properties();
try (final FileReader reader = new FileReader(propertiesFile)) {
properties.load(reader);
} catch (final IOException e) {
final String message = String.format("Failed to read NiFi Properties [%s]", propertiesFile);
throw new UncheckedIOException(message, e);
}
return properties;
}
}

230
nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/util/TestSecureNiFiConfigUtil.java Normal file
View File

@ -0,0 +1,230 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.bootstrap.util;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.nifi.properties.NiFiPropertiesLoader;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.util.IPAddress;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
public class TestSecureNiFiConfigUtil {
public static final String TEST_RESOURCE_DIR = "src/test/resources/";
private Logger logger = LoggerFactory.getLogger("org.apache.nifi.bootstrap.util.TestSecureNiFiConfigUtil");
private static final String PROPERTIES_PREFIX = "nifi-properties";
private static final boolean EXPECT_STORES_TO_EXIST = true;
private Path nifiPropertiesFile;
private Path keystorePath;
private Path truststorePath;
private Path existingKeystorePath = getTestFilePath("existing-keystore.p12");
private Path existingTruststorePath = getTestFilePath("existing-truststore.p12");
private NiFiProperties configureSecureNiFiProperties(Path testPropertiesFile) throws IOException {
Files.copy(testPropertiesFile, nifiPropertiesFile, StandardCopyOption.REPLACE_EXISTING);
SecureNiFiConfigUtil.configureSecureNiFiProperties(nifiPropertiesFile.toString(), logger);
return new NiFiPropertiesLoader().load(nifiPropertiesFile.toFile());
}
private static Path getPathFromClasspath(String filename) {
try {
return Paths.get(TestSecureNiFiConfigUtil.class.getClassLoader().getResource(filename).toURI());
} catch (URISyntaxException e) {
throw new RuntimeException(e);
}
}
private static Path getTestFilePath(String filename) {
return Paths.get(TEST_RESOURCE_DIR + filename);
}
private static String getFileHash(Path filepath) throws IOException {
return DigestUtils.sha256Hex(Files.readAllBytes(filepath));
}
@Before
public void init() throws IOException, GeneralSecurityException {
nifiPropertiesFile = Files.createTempFile(PROPERTIES_PREFIX, ".properties");
TlsConfiguration tlsConfig = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(new StandardTlsConfiguration());
Files.move(Paths.get(tlsConfig.getKeystorePath()), existingKeystorePath, StandardCopyOption.REPLACE_EXISTING);
Files.move(Paths.get(tlsConfig.getTruststorePath()), existingTruststorePath, StandardCopyOption.REPLACE_EXISTING);
}
@After
public void cleanUp() throws IOException {
deleteIfExists(nifiPropertiesFile);
deleteIfExists(keystorePath);
deleteIfExists(truststorePath);
deleteIfExists(existingKeystorePath);
deleteIfExists(existingTruststorePath);
}
private static void deleteIfExists(Path path) throws IOException {
if (path != null && StringUtils.isNotEmpty(path.toString())) {
Files.deleteIfExists(path);
}
}
private void runTestWithExpectedSuccess(String testPropertiesFile, List<String> expectedSANs) throws IOException, GeneralSecurityException {
Path testPropertiesFilePath = getPathFromClasspath(testPropertiesFile);
NiFiProperties niFiProperties = this.configureSecureNiFiProperties(testPropertiesFilePath);
keystorePath = Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE));
Assert.assertTrue(keystorePath.toFile().exists());
Assert.assertFalse(niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD).isEmpty());
Assert.assertEquals("PKCS12", niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE));
char[] keyPassword = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD).toCharArray();
KeyStore keyStore = KeyStoreUtils.loadKeyStore(keystorePath.toString(),
niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD).toCharArray(),
niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE));
String alias = keyStore.aliases().nextElement();
Assert.assertTrue(keyStore.isKeyEntry(alias));
Key key = keyStore.getKey(alias, keyPassword);
Assert.assertNotNull(key);
truststorePath = Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
Assert.assertTrue(truststorePath.toFile().exists());
Assert.assertFalse(niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD).isEmpty());
Assert.assertEquals("PKCS12", niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE));
KeyStore trustStore = KeyStoreUtils.loadKeyStore(truststorePath.toString(),
niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD).toCharArray(),
niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE));
String trustAlias = trustStore.aliases().nextElement();
Assert.assertTrue(trustStore.isCertificateEntry(trustAlias));
Certificate certificate = trustStore.getCertificate(trustAlias);
certificate.verify(certificate.getPublicKey());
if (!expectedSANs.isEmpty()) {
Collection<List<?>> sans = ((X509Certificate)certificate).getSubjectAlternativeNames();
Set<String> foundSands = new HashSet<>();
for(List<?> list : sans) {
String san = (String) list.get(1);
if (IPAddress.isValid(san)) {
Assert.assertEquals(GeneralName.iPAddress, list.get(0));
} else {
Assert.assertEquals(GeneralName.dNSName, list.get(0));
}
foundSands.add((String) list.get(1));
}
for(String expectedSAN : expectedSANs) {
Assert.assertTrue(foundSands.contains(expectedSAN));
}
}
}
private void runTestWithNoExpectedUpdates(String testPropertiesFile, boolean expectBothStoresToExist) throws IOException, GeneralSecurityException {
this.runTestWithNoExpectedUpdates(testPropertiesFile, expectBothStoresToExist, expectBothStoresToExist);
}
private void runTestWithNoExpectedUpdates(String testPropertiesFile, boolean expectKeystoreToExist, boolean expectTruststoreToExist)
throws IOException, GeneralSecurityException {
Path testPropertiesFilePath = getPathFromClasspath(testPropertiesFile);
NiFiProperties niFiProperties = this.configureSecureNiFiProperties(testPropertiesFilePath);
keystorePath = Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE));
truststorePath = Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE));
Assert.assertEquals(expectKeystoreToExist, Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE)).toFile().exists());
Assert.assertEquals(expectTruststoreToExist, Paths.get(niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE)).toFile().exists());
// Show that nifi.properties was not updated
Assert.assertEquals(getFileHash(nifiPropertiesFile), getFileHash(testPropertiesFilePath));
}
@Test
public void testSuccessfulConfiguration() throws IOException, GeneralSecurityException {
runTestWithExpectedSuccess("nifi.properties.success", Collections.EMPTY_LIST);
}
@Test
public void testSuccessfulDNSSANs() throws IOException, GeneralSecurityException {
runTestWithExpectedSuccess("nifi.properties.dns-sans",
Arrays.asList(new String[] {"test-host", "remote-host", "proxy-host", "cluster-host"}));
}
@Test
public void testNoHttps() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.no-https", !EXPECT_STORES_TO_EXIST);
}
@Test
public void testNoKeystores() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.no-keystores", !EXPECT_STORES_TO_EXIST);
}
@Test
public void testTruststorePasswordSet() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.truststore-password", !EXPECT_STORES_TO_EXIST);
}
@Test
public void testKeystorePasswordSet() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.keystore-password", !EXPECT_STORES_TO_EXIST);
}
@Test
public void test_keystoreAndTruststoreAlreadyExist() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.stores-exist", EXPECT_STORES_TO_EXIST);
}
@Test
public void testNoKeystoresTypes() throws IOException, GeneralSecurityException {
runTestWithExpectedSuccess("nifi.properties.no-keystore-types", Collections.EMPTY_LIST);
}
@Test
public void testFailure_onlyTruststoreExists() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.only-truststore", !EXPECT_STORES_TO_EXIST, EXPECT_STORES_TO_EXIST);
}
@Test
public void testFailure_onlyKeystoreExists() throws IOException, GeneralSecurityException {
runTestWithNoExpectedUpdates("nifi.properties.only-keystore", EXPECT_STORES_TO_EXIST, !EXPECT_STORES_TO_EXIST);
}
}

43
nifi-bootstrap/src/test/resources/nifi.properties.dns-sans Normal file
View File

@ -0,0 +1,43 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
nifi.remote.input.host=remote-host
nifi.web.proxy.host=proxy-host
nifi.cluster.load.balance.address=cluster-host
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=test-host
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

43
nifi-bootstrap/src/test/resources/nifi.properties.ip-sans Normal file
View File

@ -0,0 +1,43 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
nifi.remote.input.host=1.2.3.4
nifi.web.proxy.host=1.2.3.5
nifi.cluster.load.balance.address=1.2.3.6
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=1.2.3.4
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.keystore-password Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=12345
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.no-https Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=8080
nifi.web.https.host=
nifi.web.https.port=
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.no-keystore-types Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.no-keystores Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.only-keystore Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/existing-keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.only-truststore Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/existing-truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.stores-exist Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/existing-keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/existing-truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.success Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=

39
nifi-bootstrap/src/test/resources/nifi.properties.truststore-password Normal file
View File

@ -0,0 +1,39 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Core Properties #
nifi.flow.configuration.file=./target/flow.xml.gz
# Removing most properties for testing...
# web properties #
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=
nifi.web.https.port=8443
# security properties #
nifi.sensitive.props.key=key
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.security.keystore=./src/test/resources/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./src/test/resources/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=12345
nifi.security.user.authorizer=

31
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
View File

@ -466,6 +466,23 @@ public final class CertificateUtils {
*/
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays)
throws CertificateException {
return generateSelfSignedX509Certificate(keyPair, dn, signingAlgorithm, certificateDurationDays, null);
}
/**
* Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority.
*
* @param keyPair the {@link KeyPair} to generate the {@link X509Certificate} for
* @param dn the distinguished name to user for the {@link X509Certificate}
* @param signingAlgorithm the signing algorithm to use for the {@link X509Certificate}
* @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid
* @param dnsSubjectAlternativeNames An optional array of dnsName SANs
* @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority
* @throws CertificateException if there is an generating the new certificate
*/
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays,
String[] dnsSubjectAlternativeNames)
throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
@ -495,8 +512,20 @@ public final class CertificateUtils {
// (3) subjectAlternativeName extension. Include CN as a SAN entry if it exists.
final String cn = getCommonName(dn);
List<GeneralName> generalNames = new ArrayList<>();
if (StringUtils.isNotBlank(cn)) {
certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.dNSName, cn)));
generalNames.add(new GeneralName(GeneralName.dNSName, cn));
}
if (dnsSubjectAlternativeNames != null) {
for (String subjectAlternativeName : dnsSubjectAlternativeNames) {
if (StringUtils.isNotBlank(subjectAlternativeName)) {
generalNames.add(new GeneralName(GeneralName.dNSName, subjectAlternativeName));
}
}
}
if (!generalNames.isEmpty()) {
certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(generalNames.toArray(
new GeneralName[generalNames.size()])));
}
// Sign the certificate

38
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/KeyStoreUtils.java
View File

@ -154,11 +154,25 @@ public class KeyStoreUtils {
/**
* Creates a temporary Keystore and Truststore and returns it wrapped in a new TLS configuration with the given values.
* Specifies an expiration duration of 365 days.
*
* @param tlsConfiguration a {@link org.apache.nifi.security.util.TlsConfiguration}
* @return a {@link org.apache.nifi.security.util.TlsConfiguration}
*/
public static TlsConfiguration createTlsConfigAndNewKeystoreTruststore(final TlsConfiguration tlsConfiguration) throws IOException, GeneralSecurityException {
return createTlsConfigAndNewKeystoreTruststore(tlsConfiguration, CERT_DURATION_DAYS, null);
}
/**
* Creates a temporary Keystore and Truststore and returns it wrapped in a new TLS configuration with the given values.
*
* @param tlsConfiguration a {@link org.apache.nifi.security.util.TlsConfiguration}
* @param certDurationDays The number of days the cert should be valid
* @param dnsSubjectAlternativeNames An optional array of dnsName SANs
* @return a {@link org.apache.nifi.security.util.TlsConfiguration}
*/
public static TlsConfiguration createTlsConfigAndNewKeystoreTruststore(final TlsConfiguration tlsConfiguration, int certDurationDays,
String[] dnsSubjectAlternativeNames) throws IOException, GeneralSecurityException {
final Path keyStorePath;
final String keystorePassword = StringUtils.isNotBlank(tlsConfiguration.getKeystorePassword()) ? tlsConfiguration.getKeystorePassword() : generatePassword();
final KeystoreType keystoreType = tlsConfiguration.getKeystoreType() != null ? tlsConfiguration.getKeystoreType() : KeystoreType.PKCS12;
@ -184,7 +198,8 @@ public class KeyStoreUtils {
}
// Create X509 Certificate
final X509Certificate clientCert = createKeyStoreAndGetX509Certificate(KEY_ALIAS, keystorePassword, keyPassword, keyStorePath.toString(), keystoreType);
final X509Certificate clientCert = createKeyStoreAndGetX509Certificate(KEY_ALIAS, keystorePassword, keyPassword,
keyStorePath.toString(), keystoreType, certDurationDays, dnsSubjectAlternativeNames);
// Create Truststore
createTrustStore(clientCert, CERT_ALIAS, truststorePassword, trustStorePath.toString(), truststoreType);
@ -459,12 +474,31 @@ public class KeyStoreUtils {
private static X509Certificate createKeyStoreAndGetX509Certificate(
final String alias, final String keyStorePassword, final String keyPassword, final String keyStorePath,
final KeystoreType keyStoreType) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
return createKeyStoreAndGetX509Certificate(alias, keyStorePassword, keyPassword, keyStorePath, keyStoreType, CERT_DURATION_DAYS,
null);
}
/**
* Loads the Keystore and returns a X509 Certificate with the given values.
*
* @param alias the certificate alias
* @param keyStorePassword the keystore password
* @param keyPassword the key password
* @param keyStorePath the keystore path
* @param keyStoreType the keystore type
* @param dnsSubjectAlternativeNames An optional array of dnsName SANs
* @param certDurationDays the duration of the validity of the certificate, in days
* @return a {@link X509Certificate}
*/
private static X509Certificate createKeyStoreAndGetX509Certificate(
final String alias, final String keyStorePassword, final String keyPassword, final String keyStorePath,
final KeystoreType keyStoreType, int certDurationDays, String[] dnsSubjectAlternativeNames)
throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
try (final FileOutputStream outputStream = new FileOutputStream(keyStorePath)) {
final KeyPair keyPair = KeyPairGenerator.getInstance(KEY_ALGORITHM).generateKeyPair();
final X509Certificate selfSignedCert = CertificateUtils.generateSelfSignedX509Certificate(
keyPair, CERT_DN, SIGNING_ALGORITHM, CERT_DURATION_DAYS
keyPair, CERT_DN, SIGNING_ALGORITHM, certDurationDays, dnsSubjectAlternativeNames
);
final KeyStore keyStore = loadEmptyKeyStore(keyStoreType);

41
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java
View File

@ -16,16 +16,18 @@
*/
package org.apache.nifi.security.util;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Properties;
/**
@ -177,10 +179,8 @@ public class StandardTlsConfiguration implements TlsConfiguration {
* @param niFiProperties the NiFi properties
* @return a populated TlsConfiguration container object
*/
public static StandardTlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) {
if (niFiProperties == null) {
throw new IllegalArgumentException("The NiFi properties cannot be null");
}
public static TlsConfiguration fromNiFiProperties(NiFiProperties niFiProperties) {
Objects.requireNonNull("The NiFi properties cannot be null");
String keystorePath = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE);
String keystorePassword = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
@ -203,6 +203,31 @@ public class StandardTlsConfiguration implements TlsConfiguration {
return tlsConfiguration;
}
/**
* Returns a {@link org.apache.nifi.security.util.TlsConfiguration} instantiated from the relevant {@link NiFiProperties} properties.
*
* @param niFiProperties the NiFi properties, as a simple java.util.Properties object
* @return a populated TlsConfiguration container object
*/
public static TlsConfiguration fromNiFiProperties(Properties niFiProperties) {
Objects.requireNonNull("The NiFi properties cannot be null");
String keystorePath = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE);
String keystorePassword = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD);
String keyPassword = niFiProperties.getProperty(NiFiProperties.SECURITY_KEY_PASSWD);
String keystoreType = niFiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE);
String truststorePath = niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE);
String truststorePassword = niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD);
String truststoreType = niFiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE);
String protocol = TLS_PROTOCOL_VERSION;
final StandardTlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystorePath, keystorePassword, keyPassword,
keystoreType, truststorePath, truststorePassword,
truststoreType, protocol);
return tlsConfiguration;
}
/**
* Returns a {@link org.apache.nifi.security.util.TlsConfiguration} instantiated
* from the relevant {@link NiFiProperties} properties for the truststore

3
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-components/src/main/java/org/apache/nifi/controller/state/manager/StandardStateManagerProvider.java
View File

@ -53,6 +53,7 @@ import org.apache.nifi.processor.StandardValidationContext;
import org.apache.nifi.registry.VariableRegistry;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
@ -211,7 +212,7 @@ public class StandardStateManagerProvider implements StateManagerProvider {
}
final SSLContext sslContext;
StandardTlsConfiguration standardTlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties);
TlsConfiguration standardTlsConfiguration = StandardTlsConfiguration.fromNiFiProperties(properties);
try {
sslContext = SslContextFactory.createSslContext(standardTlsConfiguration);
} catch (TlsException e) {

6
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
View File

@ -148,10 +148,16 @@
<nifi.web.request.ip.whitelist />
<nifi.web.should.send.server.version>true</nifi.web.should.send.server.version>
<!-- nifi.properties: security properties -->
<!-- Use these values once we change default configuration to be HTTPS
<nifi.security.keystore>./conf/keystore.p12</nifi.security.keystore>
<nifi.security.keystoreType>PKCS12</nifi.security.keystoreType> -->
<nifi.security.keystore />
<nifi.security.keystoreType />
<nifi.security.keystorePasswd />
<nifi.security.keyPasswd />
<!-- Use these values once we change default configuration to be HTTPS
<nifi.security.truststore>./conf/truststore.p12</nifi.security.truststore>
<nifi.security.truststoreType>PKCS12</nifi.security.truststoreType> -->
<nifi.security.truststore />
<nifi.security.truststoreType />
<nifi.security.truststorePasswd />