This is an automated email from the ASF dual-hosted git repository.
bejancsaba pushed a commit to branch support/nifi-1.x
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/support/nifi-1.x by this push:
new 5d50950534 NIFI-11344 Make minifi fips compatible
5d50950534 is described below
commit 5d50950534509876bbce9baa196706f2460d0f78
Author: Ferenc Erdei <[email protected]>
AuthorDate: Wed Mar 29 14:17:07 2023 +0200
NIFI-11344 Make minifi fips compatible
This closes #7098.
(cherry picked form commit 595b1b4dd3c92255c4d90dca77966d8f78102eec)
---
minifi/minifi-assembly/pom.xml | 15 +++
.../main/assembly/dependencies-windows-service.xml | 2 +
.../src/main/assembly/dependencies.xml | 2 +
minifi/minifi-bootstrap/pom.xml | 14 +++
.../ingestors/RestChangeIngestor.java | 70 ++++++++-----
...InvokeHttpMiNiFiProxyNoPasswordTemplateTest.yml | 2 +-
.../InvokeHttpMiNiFiProxyPasswordTemplateTest.yml | 2 +-
.../src/test/resources/MINIFI-216/config.yml | 2 +-
.../test/resources/MINIFI-216/configOverrides.yml | 2 +-
.../resources/MINIFI-216/nifi.properties.before | 2 +-
.../src/test/resources/MINIFI-245/config.yml | 2 +-
.../resources/MINIFI-245/nifi.properties.before | 2 +-
.../src/test/resources/MINIFI-277/config.yml | 2 +-
.../src/test/resources/MINIFI-277/nifi.properties | 2 +-
.../src/test/resources/MINIFI-516/config.yml | 2 +-
.../src/test/resources/NIFI-8753/config.yml | 2 +-
.../resources/NIFI-8753/nifi.properties.before | 2 +-
.../test/resources/SimpleRPGToLogAttributes.yml | 2 +-
.../bootstrap-provenance-reporting/config.yml | 2 +-
.../test/resources/bootstrap-ssl-ctx/config.yml | 2 +-
.../src/test/resources/config-funnel-and-rpg.yml | 2 +-
.../src/test/resources/config-malformed-field.yml | 2 +-
.../resources/config-missing-required-field.yml | 2 +-
.../src/test/resources/config-multiple-RPGs.yml | 2 +-
.../test/resources/config-multiple-input-ports.yml | 2 +-
.../test/resources/config-multiple-problems.yml | 2 +-
.../test/resources/config-multiple-processors.yml | 2 +-
.../src/test/resources/config-process-groups.yml | 2 +-
.../src/test/resources/config-reporting-task.yml | 2 +-
.../src/test/resources/config-v1.yml | 2 +-
.../minifi-bootstrap/src/test/resources/config.yml | 2 +-
.../resources/stress-test-framework-funnel.yml | 2 +-
.../minifi/c2/api/properties/C2Properties.java | 38 +------
.../src/main/resources/bin/c2.sh | 4 +-
.../src/main/resources/conf/authorizations.yaml | 4 -
.../main/resources/files/raspi3/config.text.yml.v1 | 2 +-
.../src/test/resources/files/config.text.yaml.v1 | 2 +-
.../resources/c2/files/raspi2/config.text.yml.v1 | 2 +-
.../resources/c2/files/raspi3/config.text.yml.v1 | 2 +-
.../resources/c2/files/raspi3/config.text.yml.v2 | 2 +-
minifi/minifi-c2/minifi-c2-jetty/pom.xml | 12 +++
.../apache/nifi/minifi/c2/jetty/JettyServer.java | 110 +++++++++++++++------
.../minifi-c2-provider-util/pom.xml | 4 +
.../minifi/c2/provider/util/HttpConnector.java | 91 +++++++++++++----
.../nifi/minifi/c2/service/ConfigService.java | 62 ++++++------
.../minifi-commons/minifi-commons-schema/pom.xml | 4 +
.../commons/schema/SecurityPropertiesSchema.java | 11 ++-
.../files/edge1/raspi3/config.text.yml.v1 | 2 +-
.../files/edge2/raspi2/config.text.yml.v1 | 2 +-
.../files/edge3/raspi3/config.text.yml.v1 | 2 +-
.../src/test/resources/conf/nifi.properties | 2 +-
.../standalone/v1/CsvToJson/yml/CsvToJson.yml | 2 +-
.../yml/DecompressionCircularFlow.yml | 2 +-
.../yml/MiNiFiTailLogAttribute.yml | 2 +-
...eplaceTextExpressionLanguageCSVReformatting.yml | 2 +-
.../yml/MultipleRelationships.yml | 2 +-
.../v2/ProcessGroups/yml/ProcessGroups.yml | 2 +-
.../yml/StressTestFramework.yml | 2 +-
minifi/pom.xml | 5 +
59 files changed, 338 insertions(+), 196 deletions(-)
diff --git a/minifi/minifi-assembly/pom.xml b/minifi/minifi-assembly/pom.xml
index b7be9e4912..e922d81955 100644
--- a/minifi/minifi-assembly/pom.xml
+++ b/minifi/minifi-assembly/pom.xml
@@ -262,6 +262,21 @@ limitations under the License.
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-servlet</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-util</artifactId>
+ <scope>compile</scope>
+ </dependency>
<!-- dependencies for jaxb/activation/annotation for running MiNiFi on
Java 11 -->
<!-- TODO: remove these once minimum Java version is 11 -->
diff --git
a/minifi/minifi-assembly/src/main/assembly/dependencies-windows-service.xml
b/minifi/minifi-assembly/src/main/assembly/dependencies-windows-service.xml
index 754fdb49d4..eaf6f451aa 100644
--- a/minifi/minifi-assembly/src/main/assembly/dependencies-windows-service.xml
+++ b/minifi/minifi-assembly/src/main/assembly/dependencies-windows-service.xml
@@ -36,6 +36,7 @@
<exclude>*:nifi-bootstrap-utils</exclude>
<exclude>*:minifi-bootstrap</exclude>
<exclude>*:minifi-resources</exclude>
+ <exclude>org.eclipse.jetty:*</exclude>
<!-- Filter items introduced via transitive dependencies that
are provided in associated NARs -->
<exclude>*:swagger-annotations</exclude>
@@ -56,6 +57,7 @@
<fileMode>0660</fileMode>
<useTransitiveFiltering>true</useTransitiveFiltering>
<includes>
+ <include>org.eclipse.jetty:*</include>
<include>*:nifi-bootstrap-utils</include>
<include>*:minifi-bootstrap</include>
<include>*:minifi-utils</include>
diff --git a/minifi/minifi-assembly/src/main/assembly/dependencies.xml
b/minifi/minifi-assembly/src/main/assembly/dependencies.xml
index 342b520ab3..c56b2c8e4c 100644
--- a/minifi/minifi-assembly/src/main/assembly/dependencies.xml
+++ b/minifi/minifi-assembly/src/main/assembly/dependencies.xml
@@ -36,6 +36,7 @@
<exclude>*:nifi-bootstrap-utils</exclude>
<exclude>*:minifi-bootstrap</exclude>
<exclude>*:minifi-resources</exclude>
+ <exclude>org.eclipse.jetty:*</exclude>
<!-- Filter items introduced via transitive dependencies that
are provided in associated NARs -->
<exclude>*:swagger-annotations</exclude>
@@ -56,6 +57,7 @@
<fileMode>0660</fileMode>
<useTransitiveFiltering>true</useTransitiveFiltering>
<includes>
+ <include>org.eclipse.jetty:*</include>
<include>*:nifi-bootstrap-utils</include>
<include>*:minifi-bootstrap</include>
<include>*:minifi-utils</include>
diff --git a/minifi/minifi-bootstrap/pom.xml b/minifi/minifi-bootstrap/pom.xml
index 5a1fdfea8b..bf0e24551d 100644
--- a/minifi/minifi-bootstrap/pom.xml
+++ b/minifi/minifi-bootstrap/pom.xml
@@ -40,6 +40,16 @@ limitations under the License.
<artifactId>nifi-api</artifactId>
<scope>compile</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-jetty-configuration</artifactId>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-utils-api</artifactId>
+ <scope>compile</scope>
+ </dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>c2-client-api</artifactId>
@@ -127,6 +137,10 @@ limitations under the License.
<artifactId>nifi-security-utils</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk18on</artifactId>
+ </dependency>
</dependencies>
diff --git
a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
index fe0ccbf548..d9695b81ad 100644
---
a/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
+++
b/minifi/minifi-bootstrap/src/main/java/org/apache/nifi/minifi/bootstrap/configuration/ingestors/RestChangeIngestor.java
@@ -20,19 +20,25 @@ package
org.apache.nifi.minifi.bootstrap.configuration.ingestors;
import static
org.apache.nifi.minifi.bootstrap.configuration.ConfigurationChangeCoordinator.NOTIFIER_INGESTORS_KEY;
import static
org.apache.nifi.minifi.bootstrap.configuration.differentiators.WholeConfigDifferentiator.WHOLE_CONFIG_KEY;
+import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.ByteBuffer;
+import java.security.KeyStore;
+import java.security.Security;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.function.Supplier;
+import javax.net.ssl.SSLContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
+import
org.apache.nifi.jetty.configuration.connector.StandardServerConnectorFactory;
import org.apache.nifi.minifi.bootstrap.ConfigurationFileHolder;
import
org.apache.nifi.minifi.bootstrap.configuration.ConfigurationChangeNotifier;
import org.apache.nifi.minifi.bootstrap.configuration.ListenerHandleResult;
@@ -40,12 +46,15 @@ import
org.apache.nifi.minifi.bootstrap.configuration.differentiators.Differenti
import
org.apache.nifi.minifi.bootstrap.configuration.differentiators.WholeConfigDifferentiator;
import
org.apache.nifi.minifi.bootstrap.configuration.ingestors.interfaces.ChangeIngestor;
import org.apache.nifi.minifi.bootstrap.util.ConfigTransformer;
+import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
+import org.apache.nifi.security.ssl.StandardSslContextBuilder;
+import org.apache.nifi.security.util.TlsPlatform;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.server.handler.HandlerCollection;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -60,6 +69,7 @@ public class RestChangeIngestor implements ChangeIngestor {
tempMap.put(WHOLE_CONFIG_KEY,
WholeConfigDifferentiator::getByteBufferDifferentiator);
DIFFERENTIATOR_CONSTRUCTOR_MAP = Collections.unmodifiableMap(tempMap);
+ Security.addProvider(new BouncyCastleProvider());
}
@@ -99,7 +109,7 @@ public class RestChangeIngestor implements ChangeIngestor {
this.configurationFileHolder = configurationFileHolder;
this.properties = properties;
logger.info("Initializing");
- final String differentiatorName =
properties.getProperty(DIFFERENTIATOR_KEY);
+ String differentiatorName = properties.getProperty(DIFFERENTIATOR_KEY);
if (differentiatorName != null && !differentiatorName.isEmpty()) {
Supplier<Differentiator<ByteBuffer>> differentiatorSupplier =
DIFFERENTIATOR_CONSTRUCTOR_MAP.get(differentiatorName);
@@ -132,7 +142,7 @@ public class RestChangeIngestor implements ChangeIngestor {
public void start() {
try {
jetty.start();
- logger.info("RestChangeIngester has started and is listening on
port {}.", new Object[]{getPort()});
+ logger.info("RestChangeIngester has started and is listening on
port {}.", getPort());
} catch (Exception e) {
throw new IllegalStateException(e);
}
@@ -163,7 +173,7 @@ public class RestChangeIngestor implements ChangeIngestor {
}
private void createConnector(Properties properties) {
- final ServerConnector http = new ServerConnector(jetty);
+ ServerConnector http = new ServerConnector(jetty);
http.setPort(Integer.parseInt(properties.getProperty(PORT_KEY, "0")));
http.setHost(properties.getProperty(HOST_KEY, "localhost"));
@@ -172,39 +182,53 @@ public class RestChangeIngestor implements ChangeIngestor
{
http.setIdleTimeout(30000L);
jetty.addConnector(http);
- logger.info("Added an http connector on the host '{}' and port '{}'",
new Object[]{http.getHost(), http.getPort()});
+ logger.info("Added an http connector on the host '{}' and port '{}'",
http.getHost(), http.getPort());
}
private void createSecureConnector(Properties properties) {
- SslContextFactory ssl = new SslContextFactory();
-
- if (properties.getProperty(KEYSTORE_LOCATION_KEY) != null) {
- ssl.setKeyStorePath(properties.getProperty(KEYSTORE_LOCATION_KEY));
-
ssl.setKeyStorePassword(properties.getProperty(KEYSTORE_PASSWORD_KEY));
- ssl.setKeyStoreType(properties.getProperty(KEYSTORE_TYPE_KEY));
+ KeyStore keyStore;
+ KeyStore trustStore = null;
+
+ try (FileInputStream keyStoreStream = new
FileInputStream(properties.getProperty(KEYSTORE_LOCATION_KEY))) {
+ keyStore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(KEYSTORE_TYPE_KEY))
+ .inputStream(keyStoreStream)
+
.password(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Key Store loading failed", ioe);
}
if (properties.getProperty(TRUSTSTORE_LOCATION_KEY) != null) {
-
ssl.setTrustStorePath(properties.getProperty(TRUSTSTORE_LOCATION_KEY));
-
ssl.setTrustStorePassword(properties.getProperty(TRUSTSTORE_PASSWORD_KEY));
- ssl.setTrustStoreType(properties.getProperty(TRUSTSTORE_TYPE_KEY));
-
ssl.setNeedClientAuth(Boolean.parseBoolean(properties.getProperty(NEED_CLIENT_AUTH_KEY,
"true")));
+ try (FileInputStream trustStoreStream = new
FileInputStream(properties.getProperty(TRUSTSTORE_LOCATION_KEY))) {
+ trustStore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(TRUSTSTORE_TYPE_KEY))
+ .inputStream(trustStoreStream)
+
.password(properties.getProperty(TRUSTSTORE_PASSWORD_KEY).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Trust Store loading failed",
ioe);
+ }
}
- // build the connector
- final ServerConnector https = new ServerConnector(jetty, ssl);
+ SSLContext sslContext = new StandardSslContextBuilder()
+ .keyStore(keyStore)
+
.keyPassword(properties.getProperty(KEYSTORE_PASSWORD_KEY).toCharArray())
+ .trustStore(trustStore)
+ .build();
- // set host and port
- https.setPort(Integer.parseInt(properties.getProperty(PORT_KEY, "0")));
- https.setHost(properties.getProperty(HOST_KEY, "localhost"));
+ StandardServerConnectorFactory serverConnectorFactory = new
StandardServerConnectorFactory(jetty,
Integer.parseInt(properties.getProperty(PORT_KEY, "0")));
+
serverConnectorFactory.setNeedClientAuth(Boolean.parseBoolean(properties.getProperty(NEED_CLIENT_AUTH_KEY,
"true")));
+ serverConnectorFactory.setSslContext(sslContext);
+
serverConnectorFactory.setIncludeSecurityProtocols(TlsPlatform.getPreferredProtocols().toArray(new
String[0]));
- // Severely taxed environments may have significant delays when
executing.
- https.setIdleTimeout(30000L);
+ ServerConnector https = serverConnectorFactory.getServerConnector();
+ https.setHost(properties.getProperty(HOST_KEY, "localhost"));
// add the connector
jetty.addConnector(https);
- logger.info("Added an https connector on the host '{}' and port '{}'",
new Object[]{https.getHost(), https.getPort()});
+ logger.info("HTTPS Connector added for Host [{}] and Port [{}]",
https.getHost(), https.getPort());
}
protected void setDifferentiator(Differentiator<ByteBuffer>
differentiator) {
diff --git
a/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyNoPasswordTemplateTest.yml
b/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyNoPasswordTemplateTest.yml
index 084da2d37d..2c39c9baed 100644
---
a/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyNoPasswordTemplateTest.yml
+++
b/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyNoPasswordTemplateTest.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 0a73c5e4-7216-4cdf-9008-ace353478d55
diff --git
a/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyPasswordTemplateTest.yml
b/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyPasswordTemplateTest.yml
index 348219bd84..254616ee50 100644
---
a/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyPasswordTemplateTest.yml
+++
b/minifi/minifi-bootstrap/src/test/resources/InvokeHttpMiNiFiProxyPasswordTemplateTest.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 0a73c5e4-7216-4cdf-9008-ace353478d55
diff --git a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/config.yml
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/config.yml
index 8886205ef7..ec0c8704ae 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/config.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/configOverrides.yml
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/configOverrides.yml
index 45673b0696..d4c3f0d119 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/configOverrides.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/configOverrides.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/nifi.properties.before
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/nifi.properties.before
index 0c60b4be9f..4f0e0b25e0 100644
---
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/nifi.properties.before
+++
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-216/nifi.properties.before
@@ -92,7 +92,7 @@ nifi.web.jetty.threads=200
# security properties #
# This needs to be ignored during unit testing: nifi.sensitive.props.key=
-nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
+nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.keystore=/tmp/ssl/localhost-ks.jks
nifi.security.keystoreType=JKS
diff --git a/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/config.yml
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/config.yml
index f76a561a34..3ad05952ce 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/config.yml
@@ -54,7 +54,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/nifi.properties.before
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/nifi.properties.before
index 0c60b4be9f..4f0e0b25e0 100644
---
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/nifi.properties.before
+++
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-245/nifi.properties.before
@@ -92,7 +92,7 @@ nifi.web.jetty.threads=200
# security properties #
# This needs to be ignored during unit testing: nifi.sensitive.props.key=
-nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
+nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.keystore=/tmp/ssl/localhost-ks.jks
nifi.security.keystoreType=JKS
diff --git a/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/config.yml
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/config.yml
index def266649d..b61b9507c8 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/config.yml
@@ -54,7 +54,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/nifi.properties
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/nifi.properties
index 5b2b1a7be4..6020f316a3 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/nifi.properties
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-277/nifi.properties
@@ -93,7 +93,7 @@ nifi.web.jetty.threads=200
# security properties #
# This needs to be ignored during unit testing: nifi.sensitive.props.key=
-nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
+nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.keystore=/tmp/ssl/localhost-ks.jks
nifi.security.keystoreType=JKS
diff --git a/minifi/minifi-bootstrap/src/test/resources/MINIFI-516/config.yml
b/minifi/minifi-bootstrap/src/test/resources/MINIFI-516/config.yml
index 665622f05b..d9b3b3fe60 100644
--- a/minifi/minifi-bootstrap/src/test/resources/MINIFI-516/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/MINIFI-516/config.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: d636b1bb-fdc7-3e7e-0000-000000000000
diff --git a/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/config.yml
b/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/config.yml
index b9112287d7..be27ed8092 100644
--- a/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/config.yml
@@ -54,7 +54,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/nifi.properties.before
b/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/nifi.properties.before
index 0c60b4be9f..4f0e0b25e0 100644
---
a/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/nifi.properties.before
+++
b/minifi/minifi-bootstrap/src/test/resources/NIFI-8753/nifi.properties.before
@@ -92,7 +92,7 @@ nifi.web.jetty.threads=200
# security properties #
# This needs to be ignored during unit testing: nifi.sensitive.props.key=
-nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
+nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.keystore=/tmp/ssl/localhost-ks.jks
nifi.security.keystoreType=JKS
diff --git
a/minifi/minifi-bootstrap/src/test/resources/SimpleRPGToLogAttributes.yml
b/minifi/minifi-bootstrap/src/test/resources/SimpleRPGToLogAttributes.yml
index 578143ae84..6e0672fb41 100644
--- a/minifi/minifi-bootstrap/src/test/resources/SimpleRPGToLogAttributes.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/SimpleRPGToLogAttributes.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 6b97126a-015a-1000-0000-000000000000
diff --git
a/minifi/minifi-bootstrap/src/test/resources/bootstrap-provenance-reporting/config.yml
b/minifi/minifi-bootstrap/src/test/resources/bootstrap-provenance-reporting/config.yml
index ca062f5279..5f412f396e 100644
---
a/minifi/minifi-bootstrap/src/test/resources/bootstrap-provenance-reporting/config.yml
+++
b/minifi/minifi-bootstrap/src/test/resources/bootstrap-provenance-reporting/config.yml
@@ -54,7 +54,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/bootstrap-ssl-ctx/config.yml
b/minifi/minifi-bootstrap/src/test/resources/bootstrap-ssl-ctx/config.yml
index def266649d..b61b9507c8 100644
--- a/minifi/minifi-bootstrap/src/test/resources/bootstrap-ssl-ctx/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/bootstrap-ssl-ctx/config.yml
@@ -54,7 +54,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-funnel-and-rpg.yml
b/minifi/minifi-bootstrap/src/test/resources/config-funnel-and-rpg.yml
index fd58662d4b..055f03386c 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-funnel-and-rpg.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-funnel-and-rpg.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: f028f52b-e4da-44fe-94b0-93eab6918cde
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-malformed-field.yml
b/minifi/minifi-bootstrap/src/test/resources/config-malformed-field.yml
index ecce9a8b84..f74f15d509 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-malformed-field.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-malformed-field.yml
@@ -56,7 +56,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-missing-required-field.yml
b/minifi/minifi-bootstrap/src/test/resources/config-missing-required-field.yml
index 9339d8cfac..fb7eadbd3a 100644
---
a/minifi/minifi-bootstrap/src/test/resources/config-missing-required-field.yml
+++
b/minifi/minifi-bootstrap/src/test/resources/config-missing-required-field.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-multiple-RPGs.yml
b/minifi/minifi-bootstrap/src/test/resources/config-multiple-RPGs.yml
index a79909756a..5548e28d2c 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-multiple-RPGs.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-multiple-RPGs.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-multiple-input-ports.yml
b/minifi/minifi-bootstrap/src/test/resources/config-multiple-input-ports.yml
index 1581163912..42e05da1cd 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-multiple-input-ports.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-multiple-input-ports.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-multiple-problems.yml
b/minifi/minifi-bootstrap/src/test/resources/config-multiple-problems.yml
index c30bfb9702..e75d167527 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-multiple-problems.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-multiple-problems.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-multiple-processors.yml
b/minifi/minifi-bootstrap/src/test/resources/config-multiple-processors.yml
index 5a3cf92347..49917e1307 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-multiple-processors.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-multiple-processors.yml
@@ -55,7 +55,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-process-groups.yml
b/minifi/minifi-bootstrap/src/test/resources/config-process-groups.yml
index aa788db3b2..3efeef5e5d 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-process-groups.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-process-groups.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 207748d1-0158-1000-0000-000000000000
diff --git
a/minifi/minifi-bootstrap/src/test/resources/config-reporting-task.yml
b/minifi/minifi-bootstrap/src/test/resources/config-reporting-task.yml
index b746316aac..388e50ded1 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-reporting-task.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-reporting-task.yml
@@ -57,7 +57,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git a/minifi/minifi-bootstrap/src/test/resources/config-v1.yml
b/minifi/minifi-bootstrap/src/test/resources/config-v1.yml
index 2af6b9beca..a487afe7f9 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config-v1.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config-v1.yml
@@ -58,7 +58,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
diff --git a/minifi/minifi-bootstrap/src/test/resources/config.yml
b/minifi/minifi-bootstrap/src/test/resources/config.yml
index e18d74a253..1ac02388fc 100644
--- a/minifi/minifi-bootstrap/src/test/resources/config.yml
+++ b/minifi/minifi-bootstrap/src/test/resources/config.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: TLS
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 94b8e610-b4ed-3ec9-b26f-c839931bf3e2
diff --git
a/minifi/minifi-bootstrap/src/test/resources/stress-test-framework-funnel.yml
b/minifi/minifi-bootstrap/src/test/resources/stress-test-framework-funnel.yml
index 95e8f52551..9a715a7e90 100644
---
a/minifi/minifi-bootstrap/src/test/resources/stress-test-framework-funnel.yml
+++
b/minifi/minifi-bootstrap/src/test/resources/stress-test-framework-funnel.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- name: GenerateFlowFile
diff --git
a/minifi/minifi-c2/minifi-c2-api/src/main/java/org/apache/nifi/minifi/c2/api/properties/C2Properties.java
b/minifi/minifi-c2/minifi-c2-api/src/main/java/org/apache/nifi/minifi/c2/api/properties/C2Properties.java
index cf8e462f56..cd9e4c9927 100644
---
a/minifi/minifi-c2/minifi-c2-api/src/main/java/org/apache/nifi/minifi/c2/api/properties/C2Properties.java
+++
b/minifi/minifi-c2/minifi-c2-api/src/main/java/org/apache/nifi/minifi/c2/api/properties/C2Properties.java
@@ -17,17 +17,8 @@
package org.apache.nifi.minifi.c2.api.properties;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
import java.io.IOException;
import java.io.InputStream;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
import java.util.Properties;
public class C2Properties extends Properties {
@@ -40,9 +31,7 @@ public class C2Properties extends Properties {
public static final String MINIFI_C2_SERVER_TRUSTSTORE_TYPE =
"minifi.c2.server.truststoreType";
public static final String MINIFI_C2_SERVER_TRUSTSTORE_PASSWD =
"minifi.c2.server.truststorePasswd";
- private static final Logger logger =
LoggerFactory.getLogger(C2Properties.class);
private static final C2Properties properties = initProperties();
- private static final String C2_SERVER_HOME =
System.getenv("C2_SERVER_HOME");
private static C2Properties initProperties() {
C2Properties properties = new C2Properties();
@@ -59,31 +48,6 @@ public class C2Properties extends Properties {
}
public boolean isSecure() {
- return Boolean.valueOf(getProperty(MINIFI_C2_SERVER_SECURE, "false"));
- }
-
- public SslContextFactory getSslContextFactory() throws
GeneralSecurityException, IOException {
- SslContextFactory sslContextFactory = new SslContextFactory.Server();
- KeyStore keyStore =
KeyStore.getInstance(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE));
- Path keyStorePath =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toAbsolutePath();
- logger.debug("keystore path: " + keyStorePath);
- try (InputStream inputStream = Files.newInputStream(keyStorePath)) {
- keyStore.load(inputStream,
properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray());
- }
- sslContextFactory.setKeyStore(keyStore);
-
sslContextFactory.setKeyManagerPassword(properties.getProperty(MINIFI_C2_SERVER_KEY_PASSWD));
- sslContextFactory.setWantClientAuth(true);
-
- String trustStorePath =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toAbsolutePath().toFile().getAbsolutePath();
- logger.debug("truststore path: " + trustStorePath);
- sslContextFactory.setTrustStorePath(trustStorePath);
-
sslContextFactory.setTrustStoreType(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE));
-
sslContextFactory.setTrustStorePassword(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD));
- try {
- sslContextFactory.start();
- } catch (Exception e) {
- throw new IOException(e);
- }
- return sslContextFactory;
+ return Boolean.parseBoolean(getProperty(MINIFI_C2_SERVER_SECURE,
"false"));
}
}
diff --git a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/bin/c2.sh
b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/bin/c2.sh
index c6dc8de0a9..f20f072253 100755
--- a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/bin/c2.sh
+++ b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/bin/c2.sh
@@ -114,9 +114,9 @@ run() {
echo
if [ "$1" = "debug" ]; then
- "${JAVA}" -cp "${CLASSPATH}" -Xms12m -Xmx24m
-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005
-Djava.net.preferIPv4Stack=true org.apache.nifi.minifi.c2.jetty.JettyServer $@
+ "${JAVA}" -cp "${CLASSPATH}" -Xms12m -Xmx128m
-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005
-Djava.net.preferIPv4Stack=true org.apache.nifi.minifi.c2.jetty.JettyServer $@
else
- "${JAVA}" -cp "${CLASSPATH}" -Xms12m -Xmx24m
-Djava.net.preferIPv4Stack=true org.apache.nifi.minifi.c2.jetty.JettyServer $@
+ "${JAVA}" -cp "${CLASSPATH}" -Xms12m -Xmx128m
-Djava.net.preferIPv4Stack=true org.apache.nifi.minifi.c2.jetty.JettyServer $@
fi
return $?
}
diff --git
a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/conf/authorizations.yaml
b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/conf/authorizations.yaml
index 14386e5c17..d341a50a58 100644
---
a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/conf/authorizations.yaml
+++
b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/conf/authorizations.yaml
@@ -42,8 +42,6 @@ Paths:
Default Action: deny
Actions:
- Authorization: CLASS_RASPI_3
- Query Parameters:
- class: raspi3
Action: allow
- Authorization: ROLE_SUPERUSER
Action: allow
@@ -56,8 +54,6 @@ Paths:
Default Action: deny
Actions:
- Authorization: CLASS_RASPI_3
- Query Parameters:
- class: raspi3
Action: allow
- Authorization: ROLE_SUPERUSER
Action: allow
diff --git
a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/files/raspi3/config.text.yml.v1
b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/files/raspi3/config.text.yml.v1
index 1a7f872dc7..76ce1cd26c 100644
---
a/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/files/raspi3/config.text.yml.v1
+++
b/minifi/minifi-c2/minifi-c2-assembly/src/main/resources/files/raspi3/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-c2/minifi-c2-cache/minifi-c2-cache-filesystem/src/test/resources/files/config.text.yaml.v1
b/minifi/minifi-c2/minifi-c2-cache/minifi-c2-cache-filesystem/src/test/resources/files/config.text.yaml.v1
index 5237bc136b..de7ea51579 100644
---
a/minifi/minifi-c2/minifi-c2-cache/minifi-c2-cache-filesystem/src/test/resources/files/config.text.yaml.v1
+++
b/minifi/minifi-c2/minifi-c2-cache/minifi-c2-cache-filesystem/src/test/resources/files/config.text.yaml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi2/config.text.yml.v1
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi2/config.text.yml.v1
index 116426fefb..6c01f107eb 100644
---
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi2/config.text.yml.v1
+++
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi2/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v1
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v1
index 690cdaabff..5daf281d6f 100644
---
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v1
+++
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v2
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v2
index 14750b698a..83230e1a19 100644
---
a/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v2
+++
b/minifi/minifi-c2/minifi-c2-integration-tests/src/test/resources/c2/files/raspi3/config.text.yml.v2
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git a/minifi/minifi-c2/minifi-c2-jetty/pom.xml
b/minifi/minifi-c2/minifi-c2-jetty/pom.xml
index b9ad7c4c68..25b5477ea2 100644
--- a/minifi/minifi-c2/minifi-c2-jetty/pom.xml
+++ b/minifi/minifi-c2/minifi-c2-jetty/pom.xml
@@ -55,5 +55,17 @@ limitations under the License.
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-servlets</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-jetty-configuration</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-ssl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk18on</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git
a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
index 77b67509a2..c960f6abbc 100644
---
a/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
+++
b/minifi/minifi-c2/minifi-c2-jetty/src/main/java/org/apache/nifi/minifi/c2/jetty/JettyServer.java
@@ -17,59 +17,70 @@
package org.apache.nifi.minifi.c2.jetty;
-import org.apache.nifi.minifi.c2.api.properties.C2Properties;
-import org.eclipse.jetty.server.Handler;
-import org.eclipse.jetty.server.HttpConfiguration;
-import org.eclipse.jetty.server.HttpConnectionFactory;
-import org.eclipse.jetty.server.SecureRequestCustomizer;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.server.SslConnectionFactory;
-import org.eclipse.jetty.server.handler.HandlerCollection;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.eclipse.jetty.webapp.WebAppClassLoader;
-import org.eclipse.jetty.webapp.WebAppContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE_TYPE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEY_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE_TYPE;
import java.io.File;
+import java.io.FileInputStream;
import java.io.IOException;
+import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.net.ssl.SSLContext;
+import
org.apache.nifi.jetty.configuration.connector.StandardServerConnectorFactory;
+import org.apache.nifi.minifi.c2.api.properties.C2Properties;
+import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
+import org.apache.nifi.security.ssl.StandardSslContextBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.HandlerCollection;
+import org.eclipse.jetty.webapp.WebAppClassLoader;
+import org.eclipse.jetty.webapp.WebAppContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class JettyServer {
private static final Logger logger =
LoggerFactory.getLogger(JettyServer.class);
- private static String C2_SERVER_HOME = System.getenv("C2_SERVER_HOME");
+ private static final String C2_SERVER_HOME =
System.getenv("C2_SERVER_HOME");
private static final String WEB_DEFAULTS_XML = "webdefault.xml";
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
public static void main(String[] args) throws Exception {
C2Properties properties = C2Properties.getInstance();
final HandlerCollection handlers = new HandlerCollection();
- for (Path path : Files.list(Paths.get(C2_SERVER_HOME,
"webapps")).collect(Collectors.toList())) {
- handlers.addHandler(loadWar(path.toFile(), "/c2",
JettyServer.class.getClassLoader()));
+ try (Stream<Path> files = Files.list(Paths.get(C2_SERVER_HOME,
"webapps"))) {
+ files.forEach(path -> handlers.addHandler(loadWar(path.toFile(),
"/c2", JettyServer.class.getClassLoader())));
}
Server server;
int port =
Integer.parseInt(properties.getProperty("minifi.c2.server.port", "10090"));
if (properties.isSecure()) {
- SslContextFactory sslContextFactory =
properties.getSslContextFactory();
- HttpConfiguration config = new HttpConfiguration();
- config.setSecureScheme("https");
- config.setSecurePort(port);
- config.addCustomizer(new SecureRequestCustomizer());
-
server = new Server();
+ StandardServerConnectorFactory serverConnectorFactory = new
StandardServerConnectorFactory(server, port);
+ serverConnectorFactory.setSslContext(buildSSLContext(properties));
+ serverConnectorFactory.setWantClientAuth(true);
- ServerConnector serverConnector = new ServerConnector(server, new
SslConnectionFactory(sslContextFactory, "http/1.1"), new
HttpConnectionFactory(config));
- serverConnector.setPort(port);
-
- server.addConnector(serverConnector);
+ ServerConnector https =
serverConnectorFactory.getServerConnector();
+ https.setPort(port);
+ server.addConnector(https);
} else {
server = new Server(port);
}
@@ -100,7 +111,42 @@ public class JettyServer {
server.join();
}
- private static WebAppContext loadWar(final File warFile, final String
contextPath, final ClassLoader parentClassLoader) throws IOException {
+ private static SSLContext buildSSLContext(C2Properties properties) {
+ KeyStore keyStore;
+ KeyStore truststore;
+
+ File keyStoreFile =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toFile();
+ logger.debug("Loading Key Store [{}]", keyStoreFile.getPath());
+ try (FileInputStream keyStoreStream = new
FileInputStream(keyStoreFile)) {
+ keyStore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE))
+ .inputStream(keyStoreStream)
+
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Key Store loading failed", ioe);
+ }
+
+ File trustStoreFile =
Paths.get(C2_SERVER_HOME).resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toFile();
+ logger.debug("Loading Trust Store [{}]", trustStoreFile.getPath());
+ try (FileInputStream trustStoreStream = new
FileInputStream(trustStoreFile)) {
+ truststore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE))
+ .inputStream(trustStoreStream)
+
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Trust Store loading failed", ioe);
+ }
+
+ return new StandardSslContextBuilder()
+ .keyStore(keyStore)
+
.keyPassword(properties.getProperty(MINIFI_C2_SERVER_KEY_PASSWD).toCharArray())
+ .trustStore(truststore)
+ .build();
+ }
+
+ private static WebAppContext loadWar(final File warFile, final String
contextPath, final ClassLoader parentClassLoader) {
final WebAppContext webappContext = new
WebAppContext(warFile.getPath(), contextPath);
webappContext.setContextPath(contextPath);
webappContext.setDisplayName(contextPath);
@@ -134,7 +180,11 @@ public class JettyServer {
// configure the max form size (3x the default)
webappContext.setMaxFormContentSize(600000);
- webappContext.setClassLoader(new WebAppClassLoader(parentClassLoader,
webappContext));
+ try {
+ webappContext.setClassLoader(new
WebAppClassLoader(parentClassLoader, webappContext));
+ } catch (IOException e) {
+ throw new UncheckedIOException("ClassLoader initialization
failed", e);
+ }
logger.info("Loading WAR: " + warFile.getAbsolutePath() + " with
context path set to " + contextPath);
return webappContext;
diff --git
a/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/pom.xml
b/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/pom.xml
index 98d281d7cb..fe08bec0dd 100644
--- a/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/pom.xml
+++ b/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/pom.xml
@@ -35,5 +35,9 @@ limitations under the License.
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-ssl</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git
a/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/src/main/java/org/apache/nifi/minifi/c2/provider/util/HttpConnector.java
b/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/src/main/java/org/apache/nifi/minifi/c2/provider/util/HttpConnector.java
index 1c8e0c75da..49fe6a70a9 100644
---
a/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/src/main/java/org/apache/nifi/minifi/c2/provider/util/HttpConnector.java
+++
b/minifi/minifi-c2/minifi-c2-provider/minifi-c2-provider-util/src/main/java/org/apache/nifi/minifi/c2/provider/util/HttpConnector.java
@@ -17,35 +17,51 @@
package org.apache.nifi.minifi.c2.provider.util;
-import org.apache.nifi.minifi.c2.api.ConfigurationProviderException;
-import org.apache.nifi.minifi.c2.api.InvalidParameterException;
-import org.apache.nifi.minifi.c2.api.properties.C2Properties;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEYSTORE_TYPE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_KEY_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE_PASSWD;
+import static
org.apache.nifi.minifi.c2.api.properties.C2Properties.MINIFI_C2_SERVER_TRUSTSTORE_TYPE;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocketFactory;
+import java.io.File;
+import java.io.FileInputStream;
import java.io.IOException;
+import java.io.UncheckedIOException;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import java.security.GeneralSecurityException;
+import java.security.KeyStore;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
-import java.util.stream.Collectors;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import org.apache.nifi.minifi.c2.api.ConfigurationProviderException;
+import org.apache.nifi.minifi.c2.api.InvalidParameterException;
+import org.apache.nifi.minifi.c2.api.properties.C2Properties;
+import org.apache.nifi.security.ssl.StandardKeyStoreBuilder;
+import org.apache.nifi.security.ssl.StandardSslContextBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class HttpConnector {
+
private static final Logger logger =
LoggerFactory.getLogger(HttpConnector.class);
+ private static final String HTTPS = "https:";
+ private static final String C2_SERVER_HOME =
System.getenv("C2_SERVER_HOME");
private final String baseUrl;
- private final SslContextFactory sslContextFactory;
+ private final SSLContext sslContext;
private final Proxy proxy;
private final String proxyAuthorization;
@@ -57,14 +73,11 @@ public class HttpConnector {
this(baseUrl, proxyHost, proxyPort, null, null);
}
- public HttpConnector(String baseUrl, String proxyHost, int proxyPort,
String proxyUsername, String proxyPassword) throws InvalidParameterException,
GeneralSecurityException, IOException {
- if (baseUrl.startsWith("https:")) {
- sslContextFactory =
C2Properties.getInstance().getSslContextFactory();
- if (sslContextFactory == null) {
- throw new InvalidParameterException("Need sslContextFactory to
connect to https endpoint (" + baseUrl + ")");
- }
+ public HttpConnector(String baseUrl, String proxyHost, int proxyPort,
String proxyUsername, String proxyPassword) throws InvalidParameterException {
+ if (baseUrl.startsWith(HTTPS)) {
+ sslContext = buildSSLContext();
} else {
- sslContextFactory = null;
+ sslContext = null;
}
this.baseUrl = baseUrl;
if (proxyHost != null && !proxyHost.isEmpty()) {
@@ -89,6 +102,43 @@ public class HttpConnector {
}
}
+ private SSLContext buildSSLContext() {
+ C2Properties properties = C2Properties.getInstance();
+ KeyStore keyStore;
+ KeyStore truststore;
+
+ Path c2ServerHome = Paths.get(C2_SERVER_HOME);
+ File keyStoreFile =
c2ServerHome.resolve(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE)).toFile();
+ logger.debug("Loading Key Store [{}]", keyStoreFile.getPath());
+ try (FileInputStream keyStoreStream = new
FileInputStream(keyStoreFile)) {
+ keyStore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_TYPE))
+ .inputStream(keyStoreStream)
+
.password(properties.getProperty(MINIFI_C2_SERVER_KEYSTORE_PASSWD).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Key Store loading failed", ioe);
+ }
+
+ File trustStoreFile =
c2ServerHome.resolve(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE)).toFile();
+ logger.debug("Loading Trust Store [{}]", trustStoreFile.getPath());
+ try (FileInputStream trustStoreStream = new
FileInputStream(trustStoreFile)) {
+ truststore = new StandardKeyStoreBuilder()
+ .type(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_TYPE))
+ .inputStream(trustStoreStream)
+
.password(properties.getProperty(MINIFI_C2_SERVER_TRUSTSTORE_PASSWD).toCharArray())
+ .build();
+ } catch (IOException ioe) {
+ throw new UncheckedIOException("Trust Store loading failed", ioe);
+ }
+
+ return new StandardSslContextBuilder()
+ .keyStore(keyStore)
+
.keyPassword(properties.getProperty(MINIFI_C2_SERVER_KEY_PASSWD).toCharArray())
+ .trustStore(truststore)
+ .build();
+ }
+
public HttpURLConnection get(String endpointPath) throws
ConfigurationProviderException {
return get(endpointPath, Collections.emptyMap());
}
@@ -112,9 +162,8 @@ public class HttpConnector {
} else {
httpURLConnection = (HttpURLConnection)
url.openConnection(proxy);
}
- if (sslContextFactory != null) {
+ if (sslContext != null) {
HttpsURLConnection httpsURLConnection = (HttpsURLConnection)
httpURLConnection;
- SSLContext sslContext = sslContextFactory.getSslContext();
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
httpsURLConnection.setSSLSocketFactory(socketFactory);
}
@@ -124,7 +173,7 @@ public class HttpConnector {
if (proxyAuthorization != null) {
httpURLConnection.setRequestProperty("Proxy-Authorization",
proxyAuthorization);
}
- headers.forEach((s, strings) ->
httpURLConnection.setRequestProperty(s,
strings.stream().collect(Collectors.joining(","))));
+ headers.forEach((s, strings) ->
httpURLConnection.setRequestProperty(s, String.join(",", strings)));
return httpURLConnection;
}
}
diff --git
a/minifi/minifi-c2/minifi-c2-service/src/main/java/org/apache/nifi/minifi/c2/service/ConfigService.java
b/minifi/minifi-c2/minifi-c2-service/src/main/java/org/apache/nifi/minifi/c2/service/ConfigService.java
index 59d048320d..8349a9834f 100644
---
a/minifi/minifi-c2/minifi-c2-service/src/main/java/org/apache/nifi/minifi/c2/service/ConfigService.java
+++
b/minifi/minifi-c2/minifi-c2-service/src/main/java/org/apache/nifi/minifi/c2/service/ConfigService.java
@@ -17,6 +17,9 @@
package org.apache.nifi.minifi.c2.service;
+import static javax.ws.rs.core.HttpHeaders.CONTENT_LENGTH;
+import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
+
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Suppliers;
import com.google.common.cache.CacheBuilder;
@@ -28,33 +31,6 @@ import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
-import org.apache.nifi.c2.protocol.api.C2Heartbeat;
-import org.apache.nifi.c2.protocol.api.C2HeartbeatResponse;
-import org.apache.nifi.c2.protocol.api.C2OperationAck;
-import org.apache.nifi.minifi.c2.api.ConfigurationProvider;
-import org.apache.nifi.minifi.c2.api.ConfigurationProviderException;
-import org.apache.nifi.minifi.c2.api.InvalidParameterException;
-import
org.apache.nifi.minifi.c2.api.security.authorization.AuthorizationException;
-import org.apache.nifi.minifi.c2.api.security.authorization.Authorizer;
-import org.apache.nifi.minifi.c2.api.util.Pair;
-import org.apache.nifi.minifi.c2.util.HttpRequestUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.core.context.SecurityContextHolder;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -72,9 +48,32 @@ import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.stream.Collectors;
-
-import static javax.ws.rs.core.HttpHeaders.CONTENT_LENGTH;
-import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+import org.apache.nifi.c2.protocol.api.C2Heartbeat;
+import org.apache.nifi.c2.protocol.api.C2HeartbeatResponse;
+import org.apache.nifi.c2.protocol.api.C2OperationAck;
+import org.apache.nifi.minifi.c2.api.ConfigurationProvider;
+import org.apache.nifi.minifi.c2.api.ConfigurationProviderException;
+import org.apache.nifi.minifi.c2.api.InvalidParameterException;
+import
org.apache.nifi.minifi.c2.api.security.authorization.AuthorizationException;
+import org.apache.nifi.minifi.c2.api.security.authorization.Authorizer;
+import org.apache.nifi.minifi.c2.api.util.Pair;
+import org.apache.nifi.minifi.c2.util.HttpRequestUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.context.SecurityContextHolder;
@Configuration
@Path("/config")
@@ -361,14 +360,11 @@ public class ConfigService {
int read;
try (InputStream inputStream = configuration.getInputStream();
ByteArrayOutputStream outputStream = new
ByteArrayOutputStream()) {
- MessageDigest md5 = MessageDigest.getInstance("MD5");
MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
while ((read = inputStream.read(buffer)) >= 0) {
outputStream.write(buffer, 0, read);
- md5.update(buffer, 0, read);
sha256.update(buffer, 0, read);
}
- ok = ok.header("Content-MD5", bytesToHex(md5.digest()));
ok = ok.header("X-Content-SHA-256",
bytesToHex(sha256.digest()));
ok = ok.entity(outputStream.toByteArray());
} catch (ConfigurationProviderException | IOException |
NoSuchAlgorithmException e) {
diff --git a/minifi/minifi-commons/minifi-commons-schema/pom.xml
b/minifi/minifi-commons/minifi-commons-schema/pom.xml
index 5a8df2d64a..7dce9c63cd 100644
--- a/minifi/minifi-commons/minifi-commons-schema/pom.xml
+++ b/minifi/minifi-commons/minifi-commons-schema/pom.xml
@@ -33,5 +33,9 @@
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-api</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-security-utils-api</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git
a/minifi/minifi-commons/minifi-commons-schema/src/main/java/org/apache/nifi/minifi/commons/schema/SecurityPropertiesSchema.java
b/minifi/minifi-commons/minifi-commons-schema/src/main/java/org/apache/nifi/minifi/commons/schema/SecurityPropertiesSchema.java
index 8ad68bbb75..a8115213a4 100644
---
a/minifi/minifi-commons/minifi-commons-schema/src/main/java/org/apache/nifi/minifi/commons/schema/SecurityPropertiesSchema.java
+++
b/minifi/minifi-commons/minifi-commons-schema/src/main/java/org/apache/nifi/minifi/commons/schema/SecurityPropertiesSchema.java
@@ -17,11 +17,14 @@
package org.apache.nifi.minifi.commons.schema;
+import java.util.Arrays;
+import java.util.stream.Collectors;
import org.apache.nifi.minifi.commons.schema.common.BaseSchema;
import org.apache.nifi.minifi.commons.schema.common.StringUtil;
import org.apache.nifi.minifi.commons.schema.common.WritableSchema;
import java.util.Map;
+import org.apache.nifi.security.util.KeystoreType;
import static
org.apache.nifi.minifi.commons.schema.common.CommonPropertyKeys.SECURITY_PROPS_KEY;
import static
org.apache.nifi.minifi.commons.schema.common.CommonPropertyKeys.SENSITIVE_PROPS_KEY;
@@ -60,7 +63,8 @@ public class SecurityPropertiesSchema extends BaseSchema
implements WritableSche
keystoreType = getOptionalKeyAsType(map, KEYSTORE_TYPE_KEY,
String.class, SECURITY_PROPS_KEY, "");
if (!StringUtil.isNullOrEmpty(keystoreType)) {
if (validateStoreType(keystoreType)) {
- addValidationIssue(KEYSTORE_TYPE_KEY, SECURITY_PROPS_KEY, "it
is not a supported type (must be either PKCS12 or JKS format)");
+ addValidationIssue(KEYSTORE_TYPE_KEY, SECURITY_PROPS_KEY, "it
is not a supported type (must be either " +
+
Arrays.stream(KeystoreType.values()).map(KeystoreType::getType).collect(Collectors.joining(",
")) + " format)");
}
}
@@ -73,7 +77,8 @@ public class SecurityPropertiesSchema extends BaseSchema
implements WritableSche
truststoreType = getOptionalKeyAsType(map, TRUSTSTORE_TYPE_KEY,
String.class, SECURITY_PROPS_KEY, "");
if (!StringUtil.isNullOrEmpty(truststoreType)) {
if (validateStoreType(truststoreType)) {
- addValidationIssue(TRUSTSTORE_TYPE_KEY, SECURITY_PROPS_KEY,
"it is not a supported type (must be either PKCS12 or JKS format)");
+ addValidationIssue(TRUSTSTORE_TYPE_KEY, SECURITY_PROPS_KEY,
"it is not a supported type (must be either " +
+
Arrays.stream(KeystoreType.values()).map(KeystoreType::getType).collect(Collectors.joining(",
")) + " format)");
}
}
@@ -134,7 +139,7 @@ public class SecurityPropertiesSchema extends BaseSchema
implements WritableSche
}
private boolean validateStoreType(String store) {
- return !store.isEmpty() && !(store.equalsIgnoreCase("JKS") ||
store.equalsIgnoreCase("PKCS12"));
+ return !store.isEmpty() && !KeystoreType.isValidKeystoreType(store);
}
public boolean useSSL() {
diff --git
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge1/raspi3/config.text.yml.v1
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge1/raspi3/config.text.yml.v1
index d778600f24..459b7e8864 100644
---
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge1/raspi3/config.text.yml.v1
+++
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge1/raspi3/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge2/raspi2/config.text.yml.v1
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge2/raspi2/config.text.yml.v1
index d762ad6913..772f37994e 100644
---
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge2/raspi2/config.text.yml.v1
+++
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge2/raspi2/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge3/raspi3/config.text.yml.v1
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge3/raspi3/config.text.yml.v1
index da30790409..9a9ea12388 100644
---
a/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge3/raspi3/config.text.yml.v1
+++
b/minifi/minifi-integration-tests/src/test/resources/c2/hierarchical/c2-authoritative/files/edge3/raspi3/config.text.yml.v1
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key: ''
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors: []
Process Groups: []
diff --git
a/minifi/minifi-integration-tests/src/test/resources/conf/nifi.properties
b/minifi/minifi-integration-tests/src/test/resources/conf/nifi.properties
index e23c5b0d09..b2530ed55e 100644
--- a/minifi/minifi-integration-tests/src/test/resources/conf/nifi.properties
+++ b/minifi/minifi-integration-tests/src/test/resources/conf/nifi.properties
@@ -71,7 +71,7 @@ nifi.web.jetty.working.directory=./target/work/jetty
# security properties #
nifi.sensitive.props.key=key
-nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
+nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.security.keystore=
nifi.security.keystoreType=
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/CsvToJson/yml/CsvToJson.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/CsvToJson/yml/CsvToJson.yml
index 1237ac8c4b..73867a4fc2 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/CsvToJson/yml/CsvToJson.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/CsvToJson/yml/CsvToJson.yml
@@ -52,7 +52,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- name: ExtractText
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/DecompressionCircularFlow/yml/DecompressionCircularFlow.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/DecompressionCircularFlow/yml/DecompressionCircularFlow.yml
index 743fdf670a..dedbce90b8 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/DecompressionCircularFlow/yml/DecompressionCircularFlow.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/DecompressionCircularFlow/yml/DecompressionCircularFlow.yml
@@ -52,7 +52,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- name: Compressed?
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/MiNiFiTailLogAttribute/yml/MiNiFiTailLogAttribute.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/MiNiFiTailLogAttribute/yml/MiNiFiTailLogAttribute.yml
index 88f5c6d391..1adb3e1d6a 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/MiNiFiTailLogAttribute/yml/MiNiFiTailLogAttribute.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/MiNiFiTailLogAttribute/yml/MiNiFiTailLogAttribute.yml
@@ -52,7 +52,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- name: LogAttribute
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/ReplaceTextExpressionLanguageCSVReformatting/yml/ReplaceTextExpressionLanguageCSVReformatting.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/ReplaceTextExpressionLanguageCSVReformatting/yml/ReplaceTextExpressionLanguageCSVReformatting.yml
index 8c280c8bb3..e06b8f387f 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v1/ReplaceTextExpressionLanguageCSVReformatting/yml/ReplaceTextExpressionLanguageCSVReformatting.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v1/ReplaceTextExpressionLanguageCSVReformatting/yml/ReplaceTextExpressionLanguageCSVReformatting.yml
@@ -52,7 +52,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- name: Generate Empty File
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/MultipleRelationships/yml/MultipleRelationships.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/MultipleRelationships/yml/MultipleRelationships.yml
index 71dce07452..ab3f54f5cc 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/MultipleRelationships/yml/MultipleRelationships.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/MultipleRelationships/yml/MultipleRelationships.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 7c755ed6-0157-1000-0000-000000000000
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/ProcessGroups/yml/ProcessGroups.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/ProcessGroups/yml/ProcessGroups.yml
index fc837b63e1..8a03330761 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/ProcessGroups/yml/ProcessGroups.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/ProcessGroups/yml/ProcessGroups.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: e25cd92a-0157-1000-0000-000000000000
diff --git
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/StressTestFramework/yml/StressTestFramework.yml
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/StressTestFramework/yml/StressTestFramework.yml
index 46cd84d02b..220f9da14d 100644
---
a/minifi/minifi-integration-tests/src/test/resources/standalone/v2/StressTestFramework/yml/StressTestFramework.yml
+++
b/minifi/minifi-integration-tests/src/test/resources/standalone/v2/StressTestFramework/yml/StressTestFramework.yml
@@ -53,7 +53,7 @@ Security Properties:
ssl protocol: ''
Sensitive Props:
key:
- algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
+ algorithm: NIFI_PBKDF2_AES_GCM_256
provider: BC
Processors:
- id: 16a47794-5391-4ad2-0000-000000000000
diff --git a/minifi/pom.xml b/minifi/pom.xml
index f7b542fb5a..e79a0d81d1 100644
--- a/minifi/pom.xml
+++ b/minifi/pom.xml
@@ -279,6 +279,11 @@ limitations under the License.
<artifactId>nifi-toolkit-tls</artifactId>
<version>1.21.0-SNAPSHOT</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.nifi</groupId>
+ <artifactId>nifi-jetty-configuration</artifactId>
+ <version>1.21.0-SNAPSHOT</version>
+ </dependency>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-resources</artifactId>
