diff --git a/etc/security/keystore.jks b/etc/security/keystore.jks new file mode 100644 index 000000000..df75463bf Binary files /dev/null and b/etc/security/keystore.jks differ diff --git a/etc/security/prod-hpmiddleware-keystore.jks b/etc/security/prod-hpmiddleware-keystore.jks new file mode 100644 index 000000000..340d99137 Binary files /dev/null and b/etc/security/prod-hpmiddleware-keystore.jks differ diff --git a/etc/security/prod-hpmiddleware-truststore.jks b/etc/security/prod-hpmiddleware-truststore.jks new file mode 100644 index 000000000..538a89b66 Binary files /dev/null and b/etc/security/prod-hpmiddleware-truststore.jks differ diff --git a/etc/security/project b/etc/security/project new file mode 100644 index 000000000..b3a4b6d53 --- /dev/null +++ b/etc/security/project @@ -0,0 +1,9 @@ +HTTP/1.1 201 Created +Content-Length: 13151 +Content-Type: application/json +Date: Thu, 29 May 2014 15:49:51 GMT +Server: Apache +Vary: X-Auth-Token +X-Subject-Token: HPAuth10_b21c070755e72f45a9fbfda570ae2fdbd981cb1a891bd33847b339505e3effb9 + +{"token": {"methods": ["password"], "roles": [{"name": "block-admin", "serviceId": "130", "id": "00000000004013", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004013"}, "tenantId": "27833633664734"}, {"name": "cdn-admin", "serviceId": "150", "id": "00000000004014", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004014"}, "tenantId": "27833633664734"}, {"name": "netadmin", "serviceId": "120", "id": "00000000004016", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004016"}, "tenantId": "27833633664734"}, {"name": "Admin", "serviceId": "110", "id": "00000000004022", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004022"}, "tenantId": "27833633664734"}, {"name": "user", "serviceId": "140", "id": "00000000004024", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004024"}, "tenantId": "27833633664734"}, {"name": "sysadmin", "serviceId": "120", "id": "00000000004025", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004025"}, "tenantId": "27833633664734"}, {"name": "monitoring-user", "serviceId": "230", "id": "74610560312285", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/74610560312285"}, "tenantId": "27833633664734"}, {"name": "dns-admin", "serviceId": "240", "id": "91643347410087", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/91643347410087"}, "tenantId": "27833633664734"}, {"name": "lbaas-user", "serviceId": "220", "id": "22490811419919", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/22490811419919"}, "tenantId": "27833633664734"}, {"name": "net-admin", "serviceId": "170", "id": "10419409370304", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/10419409370304"}, "tenantId": "27833633664734"}, {"name": "mysql-user", "serviceId": "160", "id": "00000000004032", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004032"}, "tenantId": "27833633664734"}, {"serviceId": "100", "id": "00000000004003", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004003"}, "name": "domainadmin"}, {"serviceId": "100", "id": "00000000004004", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/roles/00000000004004"}, "name": "domainuser"}], "expires_at": "2014-05-30T03:49:51.741033Z", "project": {"HP-IDM": {"status": "enabled"}, "domain": {"HP-IDM": {"domainStatus": "enabled"}, "id": "36687026566315", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/domains/36687026566315"}, "name": "derrick.johnson@autonomy.com-DOMAIN"}, "id": "27833633664734", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/projects/27833633664734"}, "name": "derrick.johnson@autonomy.com"}, "catalog": [{"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/150_P"}, "url": "https://region-a.geo-1.cdnmgmt.hpcloudsvc.com/v1.0/27833633664734", "region": "region-a.geo-1", "interface": "public", "service_Id": "150", "id": "150_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/1502_P"}, "url": "https://region-b.geo-1.cdnmgmt.hpcloudsvc.com/v1.0/27833633664734", "region": "region-b.geo-1", "interface": "public", "service_Id": "150", "id": "1502_P"}], "type": "hpext:cdn", "id": "150", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/150"}, "name": "CDN"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/160_P"}, "url": "https://glance1.uswest.hpcloud.net:9292/v1.0", "region": "az-1.region-a.geo-1", "interface": "public", "service_Id": "140", "id": "160_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/170_P"}, "url": "https://glance2.uswest.hpcloud.net:9292/v1.0", "region": "az-2.region-a.geo-1", "interface": "public", "service_Id": "140", "id": "170_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/180_P"}, "url": "https://glance3.uswest.hpcloud.net:9292/v1.0", "region": "az-3.region-a.geo-1", "interface": "public", "service_Id": "140", "id": "180_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/14000300_P"}, "url": "https://region-b.geo-1.images.hpcloudsvc.com:443/v1.0", "region": "region-b.geo-1", "interface": "public", "service_Id": "140", "id": "14000300_P"}], "type": "image", "id": "140", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/140"}, "name": "Image Management"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/160001_P"}, "url": "https://region-a.geo-1.database.hpcloudsvc.com/v1.0/27833633664734", "region": "region-a.geo-1", "interface": "public", "service_Id": "160", "id": "160001_P"}], "type": "database", "id": "160", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/160"}, "name": "Relational DB MySQL"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/120_P"}, "url": "https://region-a.geo-1.objects.hpcloudsvc.com/v1/27833633664734", "region": "region-a.geo-1", "interface": "public", "service_Id": "110", "id": "120_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/1102_P"}, "url": "https://region-b.geo-1.objects.hpcloudsvc.com:443/v1/27833633664734", "region": "region-b.geo-1", "interface": "public", "service_Id": "110", "id": "1102_P"}], "type": "object-store", "id": "110", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/110"}, "name": "Object Storage"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/100_P"}, "url": "https://az-1.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-1.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "100_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/100_P2"}, "url": "https://az-1.region-a.geo-1.ec2-compute.hpcloudsvc.com/services/Cloud", "region": "az-1.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "100_P2"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/110_P"}, "url": "https://az-2.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-2.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "110_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/110_P2"}, "url": "https://az-2.region-a.geo-1.ec2-compute.hpcloudsvc.com/services/Cloud", "region": "az-2.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "110_P2"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/111_P"}, "url": "https://az-3.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-3.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "111_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/111_P2"}, "url": "https://az-3.region-a.geo-1.ec2-compute.hpcloudsvc.com/services/Cloud", "region": "az-3.region-a.geo-1", "interface": "public", "service_Id": "120", "id": "111_P2"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/12000120_P"}, "url": "https://region-b.geo-1.compute.hpcloudsvc.com/v2/27833633664734", "region": "region-b.geo-1", "interface": "public", "service_Id": "120", "id": "12000120_P"}], "type": "compute", "id": "120", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/120"}, "name": "Compute"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/140_P"}, "url": "https://az-1.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-1.region-a.geo-1", "interface": "public", "service_Id": "130", "id": "140_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/141_P"}, "url": "https://az-2.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-2.region-a.geo-1", "interface": "public", "service_Id": "130", "id": "141_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/142_P"}, "url": "https://az-3.region-a.geo-1.compute.hpcloudsvc.com/v1.1/27833633664734", "region": "az-3.region-a.geo-1", "interface": "public", "service_Id": "130", "id": "142_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/13000300_P"}, "url": "https://region-b.geo-1.block.hpcloudsvc.com/v1/27833633664734", "region": "region-b.geo-1", "interface": "public", "service_Id": "130", "id": "13000300_P"}], "type": "volume", "id": "130", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/130"}, "name": "Block Storage"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2401_P"}, "url": "https://region-a.geo-1.dns.hpcloudsvc.com/v1/", "region": "region-a.geo-1", "interface": "public", "service_Id": "240", "id": "2401_P"}], "type": "hpext:dns", "id": "240", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/240"}, "name": "DNS"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/1705_P"}, "url": "https://region-b.geo-1.network.hpcloudsvc.com", "region": "region-b.geo-1", "interface": "public", "service_Id": "170", "id": "1705_P"}], "type": "network", "id": "170", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/170"}, "name": "Networking"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2301_P"}, "url": "https://region-a.geo-1.monitoring.hpcloudsvc.com/v1.1", "region": "region-a.geo-1.private-beta", "interface": "public", "service_Id": "230", "id": "2301_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2301_P2"}, "url": "https://region-a.geo-1.mon-deprecated.hpcloudsvc.com/v1.1", "region": "region-a.geo-1.private-beta", "interface": "public", "service_Id": "230", "id": "2301_P2"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2302_P"}, "url": "https://region-b.geo-1.monitoring.hpcloudsvc.com/v1.1", "region": "region-b.geo-1", "interface": "public", "service_Id": "230", "id": "2302_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2303_P"}, "url": "https://region-a.geo-1.monaas.hpcloudsvc.com/v1.1", "region": "region-a.geo-1", "interface": "public", "service_Id": "230", "id": "2303_P"}], "type": "hpext:monitoring", "id": "230", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/230"}, "name": "Monitoring"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/2201_P"}, "url": "https://region-a.geo-1.lbaas.hpcloudsvc.com/v1.1", "region": "region-a.geo-1.private-beta", "interface": "public", "service_Id": "220", "id": "2201_P"}], "type": "hpext:lbaas", "id": "220", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/220"}, "name": "Load Balancer"}, {"endpoints": [{"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/130_P"}, "url": "https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/", "region": "region-a.geo-1", "interface": "public", "service_Id": "100", "id": "130_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/10000130_P"}, "url": "https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0/", "region": "region-b.geo-1", "interface": "public", "service_Id": "100", "id": "10000130_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/131_P"}, "url": "https://region-a.geo-1.identity.hpcloudsvc.com:35357/v3/", "region": "region-a.geo-1", "interface": "public", "service_Id": "100", "id": "131_P"}, {"links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/endpoints/10000131_P"}, "url": "https://region-b.geo-1.identity.hpcloudsvc.com:35357/v3/", "region": "region-b.geo-1", "interface": "public", "service_Id": "100", "id": "10000131_P"}], "type": "identity", "id": "100", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/100"}, "name": "Identity"}, {"endpoints": [], "type": "metering", "id": "190", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/services/190"}, "name": "Usage Reporting"}], "extras": {}, "user": {"HP-IDM": {"status": "enabled"}, "domain": {"HP-IDM": {"domainStatus": "enabled"}, "id": "36687026566315", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/domains/36687026566315"}, "name": "derrick.johnson@autonomy.com-DOMAIN"}, "id": "52151529297225", "links": {"self": "https://region-b.geo-1.identity.hpcloudsvc.com/v3/users/52151529297225"}, "name": "b2odtdcj"}, "issued_at": "2014-05-29T15:49:13.418000Z"}} \ No newline at end of file diff --git a/etc/security/truststore.jks b/etc/security/truststore.jks new file mode 100644 index 000000000..0c6379e20 Binary files /dev/null and b/etc/security/truststore.jks differ diff --git a/src/main/java/com/hpcloud/mon/MonApiApplication.java b/src/main/java/com/hpcloud/mon/MonApiApplication.java index 3a63cff24..f180a96b8 100644 --- a/src/main/java/com/hpcloud/mon/MonApiApplication.java +++ b/src/main/java/com/hpcloud/mon/MonApiApplication.java @@ -120,6 +120,8 @@ public class MonApiApplication extends Application { authInitParams.put("ConnPoolMinIdleTime", config.middleware.connPoolMinIdleTime); authInitParams.put("ConnRetryTimes", config.middleware.connRetryTimes); authInitParams.put("ConnRetryInterval", config.middleware.connRetryInterval); + authInitParams.put("AdminToken", config.middleware.adminToken); + Dynamic tokenAuthFilter = environment.servlets().addFilter("token-auth", new TokenAuth()); tokenAuthFilter.addMappingForUrlPatterns(null, true, "/"); @@ -131,8 +133,10 @@ public class MonApiApplication extends Application { mockAuthenticationFilter.addMappingForUrlPatterns(null, true, "/"); mockAuthenticationFilter.addMappingForUrlPatterns(null, true, "/v2.0/*"); } + ArrayList list = new ArrayList(); + list.add("heat_stack_owner"); Dynamic postAuthenticationFilter = environment.servlets() - .addFilter("post-auth", new PostAuthenticationFilter(Collections.singletonList(""))); + .addFilter("post-auth", new PostAuthenticationFilter(list));//Collections.singletonList(""))); postAuthenticationFilter.addMappingForUrlPatterns(null, true, "/"); postAuthenticationFilter.addMappingForUrlPatterns(null, true, "/v2.0/*"); diff --git a/src/main/java/com/hpcloud/mon/infrastructure/middleware/MiddlewareConfiguration.java b/src/main/java/com/hpcloud/mon/infrastructure/middleware/MiddlewareConfiguration.java index 384f30c78..036584aae 100644 --- a/src/main/java/com/hpcloud/mon/infrastructure/middleware/MiddlewareConfiguration.java +++ b/src/main/java/com/hpcloud/mon/infrastructure/middleware/MiddlewareConfiguration.java @@ -45,5 +45,6 @@ public class MiddlewareConfiguration { @NotEmpty @JsonProperty public String connPoolMinIdleTime; @NotEmpty @JsonProperty public String connRetryTimes; @NotEmpty @JsonProperty public String connRetryInterval; + @NotEmpty @JsonProperty public String adminToken; @NotNull @JsonProperty public List rolesToMatch; } diff --git a/src/main/java/com/hpcloud/mon/infrastructure/servlet/PreAuthenticationFilter.java b/src/main/java/com/hpcloud/mon/infrastructure/servlet/PreAuthenticationFilter.java index 8705804db..f92f4819e 100644 --- a/src/main/java/com/hpcloud/mon/infrastructure/servlet/PreAuthenticationFilter.java +++ b/src/main/java/com/hpcloud/mon/infrastructure/servlet/PreAuthenticationFilter.java @@ -34,6 +34,7 @@ import org.slf4j.LoggerFactory; import com.hpcloud.mon.resource.exception.Exceptions; import com.hpcloud.mon.resource.exception.Exceptions.FaultType; +import com.hp.csbu.cc.middleware.ExceptionHandler.*; /** * Authenticates requests using header information from the CsMiddleware. Provides the X-TENANT-ID @@ -95,9 +96,27 @@ public class PreAuthenticationFilter implements Filter { res.setContentType(MediaType.APPLICATION_JSON); res.setStatus(responseWrapper.statusCode); String output = Exceptions.buildLoggedErrorMessage(FaultType.UNAUTHORIZED, - responseWrapper.errorMessage, null, responseWrapper.exception); + responseWrapper.errorMessage, null, responseWrapper.exception); out.print(output); - } catch (Exception e) { + }catch(IllegalArgumentException e) { + //CSMiddleware is throwing this error for invalid tokens. + //This problem appears to be fixed in other versions, but they are not approved yet. + try { + String output = Exceptions.buildLoggedErrorMessage(FaultType.UNAUTHORIZED, + "invalid authToken", null, responseWrapper.exception); + out.print(output); + } + catch (Exception x) { + LOG.error("Error while writing failed authentication HTTP response", x); + } finally { + if (out != null) + try { + out.close(); + } catch (IOException ignore) { + } + } + } + catch (Exception e) { LOG.error("Error while writing failed authentication HTTP response", e); } finally { if (out != null)