nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.nifi.bootstrap.util;

import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.util.NiFiProperties;
import org.bouncycastle.util.IPAddress;
import org.slf4j.Logger;

import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.time.LocalDate;
import java.time.temporal.ChronoUnit;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;

public class SecureNiFiConfigUtil {

    private static final int CERT_DURATION_DAYS = 60;
    private static final String LOCALHOST_NAME = "localhost";
    private static final String PROPERTY_VALUE_PATTERN = "%s=%s";

    private SecureNiFiConfigUtil() {

    }

    private static boolean fileExists(String filename) {
        return StringUtils.isNotEmpty(filename) && Paths.get(filename).toFile().exists();
    }

    /**
     * Returns true only if nifi.web.https.port is set, nifi.security.keystore and nifi.security.truststore
     * are both set, and both nifi.security.keystorePasswd and nifi.security.truststorePassword are NOT set.
     *
     * This would indicate that the user intends to auto-generate a keystore and truststore, rather than
     * using their existing kestore and truststore.
     * @param nifiProperties The nifi properties
     * @return
     */
    private static boolean isHttpsSecurityConfiguredWithEmptyPasswords(final Properties nifiProperties) {
        if (StringUtils.isEmpty(nifiProperties.getProperty(NiFiProperties.WEB_HTTPS_PORT, StringUtils.EMPTY))) {
            return false;
        }

        String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
        String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
        if (StringUtils.isEmpty(keystorePath) || StringUtils.isEmpty(truststorePath)) {
            return false;
        }

        String keystorePassword = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD, StringUtils.EMPTY);
        String truststorePassword = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, StringUtils.EMPTY);
        if (StringUtils.isNotEmpty(keystorePassword) || StringUtils.isNotEmpty(truststorePassword)) {
            return false;
        }

        return true;
    }

    /**
     * If HTTPS is enabled (nifi.web.https.port is set), but the keystore file specified in nifi.security.keystore
     * does not exist, this will generate a key pair and self-signed certificate, generate the associated keystore
     * and truststore and write them to disk under the configured filepaths, generate a secure random keystore password
     * and truststore password, and write these to the nifi.properties file.
     * @param nifiPropertiesFilename The filename of the nifi.properties file
     * @param cmdLogger The bootstrap logger
     * @throws IOException can be thrown when writing keystores to disk
     * @throws RuntimeException indicates a security exception while generating keystores
     */
    public static void configureSecureNiFiProperties(final String nifiPropertiesFilename, final Logger cmdLogger) throws IOException, RuntimeException {
        final File propertiesFile = new File(nifiPropertiesFilename);
        final Properties nifiProperties = loadProperties(propertiesFile);

        if (!isHttpsSecurityConfiguredWithEmptyPasswords(nifiProperties)) {
            cmdLogger.debug("Skipping Apache Nifi certificate generation.");
            return;
        }

        String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
        String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
        boolean keystoreExists = fileExists(keystorePath);
        boolean truststoreExists = fileExists(truststorePath);

        if (!keystoreExists && !truststoreExists) {
            TlsConfiguration tlsConfiguration;
            cmdLogger.info("Generating Self-Signed Certificate: Expires on {}", LocalDate.now().plus(CERT_DURATION_DAYS, ChronoUnit.DAYS));
            try {
                String[] subjectAlternativeNames = getSubjectAlternativeNames(nifiProperties, cmdLogger);
                tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(StandardTlsConfiguration
                        .fromNiFiProperties(nifiProperties), CERT_DURATION_DAYS, subjectAlternativeNames);
                final KeyStore keyStore = KeyStoreUtils.loadKeyStore(tlsConfiguration.getKeystorePath(),
                        tlsConfiguration.getKeystorePassword().toCharArray(), tlsConfiguration.getKeystoreType().getType());
                final Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    final String alias = aliases.nextElement();
                    final Certificate certificate = keyStore.getCertificate(alias);
                    if (certificate != null) {
                        final String sha256 = DigestUtils.sha256Hex(certificate.getEncoded());
                        cmdLogger.info("Generated Self-Signed Certificate SHA-256: {}", sha256.toUpperCase(Locale.ROOT));
                    }
                }
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(e);
            }

            // Move over the new stores from temp dir
            Files.move(Paths.get(tlsConfiguration.getKeystorePath()), Paths.get(keystorePath),
                    StandardCopyOption.REPLACE_EXISTING);
            Files.move(Paths.get(tlsConfiguration.getTruststorePath()), Paths.get(truststorePath),
                    StandardCopyOption.REPLACE_EXISTING);

            updateProperties(propertiesFile, tlsConfiguration);

            cmdLogger.debug("Generated Keystore [{}] Truststore [{}]", keystorePath, truststorePath);
        } else if (!keystoreExists && truststoreExists) {
            cmdLogger.warn("Truststore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.",
                    truststorePath);
        } else if (keystoreExists && !truststoreExists) {
            cmdLogger.warn("Keystore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.",
                    keystorePath);
        }
    }

    /**
     * Attempts to add some reasonable guesses at desired SAN values that can be added to the generated
     * certificate.
     * @param nifiProperties The nifi.properties
     * @return A Pair with IP SANs on the left and DNS SANs on the right
     */
    private static String[] getSubjectAlternativeNames(Properties nifiProperties, Logger cmdLogger) {
        Set<String> dnsSubjectAlternativeNames = new HashSet<>();

        try {
            dnsSubjectAlternativeNames.add(InetAddress.getLocalHost().getHostName());
        } catch (UnknownHostException e) {
            cmdLogger.debug("Could not add localhost hostname as certificate SAN", e);
        }
        addSubjectAlternativeName(nifiProperties, NiFiProperties.REMOTE_INPUT_HOST, dnsSubjectAlternativeNames);
        addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_HTTPS_HOST, dnsSubjectAlternativeNames);
        addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_PROXY_HOST, dnsSubjectAlternativeNames);
        addSubjectAlternativeName(nifiProperties, NiFiProperties.LOAD_BALANCE_HOST, dnsSubjectAlternativeNames);

        // Not necessary to add as a SAN
        dnsSubjectAlternativeNames.remove(LOCALHOST_NAME);

        return dnsSubjectAlternativeNames.toArray(new String[dnsSubjectAlternativeNames.size()]);
    }

    private static void addSubjectAlternativeName(Properties nifiProperties, String propertyName,
                                                  Set<String> dnsSubjectAlternativeNames) {
        String hostValue = nifiProperties.getProperty(propertyName, StringUtils.EMPTY);
        if (!hostValue.isEmpty()) {
            if (!IPAddress.isValid(hostValue)) {
                dnsSubjectAlternativeNames.add(hostValue);
            }
        }
    }

    private static String getPropertyLine(String name, String value) {
        return String.format(PROPERTY_VALUE_PATTERN, name, value);
    }

    private static void updateProperties(final File propertiesFile, final TlsConfiguration tlsConfiguration) throws IOException {
        final Path propertiesFilePath = propertiesFile.toPath();
        final List<String> lines = Files.readAllLines(propertiesFilePath);
        final List<String> updatedLines = lines.stream().map(line -> {
            if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_PASSWD)) {
                return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_PASSWD, tlsConfiguration.getKeystorePassword());
            } else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD)) {
                return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, tlsConfiguration.getTruststorePassword());
            } else if (line.startsWith(NiFiProperties.SECURITY_KEY_PASSWD)) {
                return getPropertyLine(NiFiProperties.SECURITY_KEY_PASSWD, tlsConfiguration.getKeystorePassword());
            } else if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_TYPE)) {
                return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_TYPE, tlsConfiguration.getKeystoreType().getType());
            } else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_TYPE)) {
                return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, tlsConfiguration.getTruststoreType().getType());
            } else {
                return line;
            }
        }).collect(Collectors.toList());
        Files.write(propertiesFilePath, updatedLines);
    }

    private static Properties loadProperties(final File propertiesFile) {
        final Properties properties = new Properties();
        try (final FileReader reader = new FileReader(propertiesFile)) {
            properties.load(reader);
        } catch (final IOException e) {
            final String message = String.format("Failed to read NiFi Properties [%s]", propertiesFile);
            throw new UncheckedIOException(message, e);
        }
        return properties;
    }
}