/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ranger.services.nifi.client;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
import com.sun.jersey.client.urlconnection.HTTPSProperties;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.codehaus.jackson.JsonNode;
import org.codehaus.jackson.map.ObjectMapper;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.ws.rs.core.Response;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
/**
* Client to communicate with NiFi and retrieve available resources.
*/
public class NiFiClient {
private static final Log LOG = LogFactory.getLog(NiFiClient.class);
static final String SUCCESS_MSG = "ConnectionTest Successful";
static final String FAILURE_MSG = "Unable to retrieve any resources using given parameters. ";
private final String url;
private final SSLContext sslContext;
private final HostnameVerifier hostnameVerifier;
private final ObjectMapper mapper = new ObjectMapper();
public NiFiClient(final String url, final SSLContext sslContext) {
this.url = url;
this.sslContext = sslContext;
this.hostnameVerifier = new NiFiHostnameVerifier();
}
public HashMap<String, Object> connectionTest() {
String errMsg = "";
boolean connectivityStatus;
HashMap<String, Object> responseData = new HashMap<>();
try {
final WebResource resource = getWebResource();
final ClientResponse response = getResponse(resource, "application/json");
if (LOG.isDebugEnabled()) {
LOG.debug("Got response from NiFi with status code " + response.getStatus());
}
if (Response.Status.OK.getStatusCode() == response.getStatus()) {
connectivityStatus = true;
} else {
connectivityStatus = false;
errMsg = "Status Code = " + response.getStatus();
}
} catch (Exception e) {
LOG.error("Connection to NiFi failed due to " + e.getMessage(), e);
connectivityStatus = false;
errMsg = e.getMessage();
}
if (connectivityStatus) {
BaseClient.generateResponseDataMap(connectivityStatus, SUCCESS_MSG, SUCCESS_MSG, null, null, responseData);
} else {
BaseClient.generateResponseDataMap(connectivityStatus, FAILURE_MSG, FAILURE_MSG + errMsg, null, null, responseData);
}
if (LOG.isDebugEnabled()) {
LOG.debug("Response Data - " + responseData);
}
return responseData;
}
public List<String> getResources(ResourceLookupContext context) throws Exception {
final WebResource resource = getWebResource();
final ClientResponse response = getResponse(resource, "application/json");
if (Response.Status.OK.getStatusCode() != response.getStatus()) {
String errorMsg = IOUtils.toString(response.getEntityInputStream());
throw new Exception("Unable to retrieve resources from NiFi due to: " + errorMsg);
}
JsonNode rootNode = mapper.readTree(response.getEntityInputStream());
if (rootNode == null) {
throw new Exception("Unable to retrieve resources from NiFi");
}
JsonNode resourcesNode = rootNode.findValue("resources");
List<String> identifiers = resourcesNode.findValuesAsText("identifier");
final String userInput = context.getUserInput();
if (StringUtils.isBlank(userInput)) {
return identifiers;
} else {
List<String> filteredIdentifiers = new ArrayList<>();
for (String identifier : identifiers) {
if (identifier.contains(userInput)) {
filteredIdentifiers.add(identifier);
}
}
return filteredIdentifiers;
}
}
protected WebResource getWebResource() {
final ClientConfig config = new DefaultClientConfig();
if (sslContext != null) {
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES,
new HTTPSProperties(hostnameVerifier, sslContext));
}
final Client client = Client.create(config);
return client.resource(url);
}
protected ClientResponse getResponse(WebResource resource, String accept) {
return resource.accept(accept).get(ClientResponse.class);
}
public String getUrl() {
return url;
}
public SSLContext getSslContext() {
return sslContext;
}
public HostnameVerifier getHostnameVerifier() {
return hostnameVerifier;
}
/**
* Custom hostname verifier that checks subject alternative names against the hostname of the URI.
*/
private static class NiFiHostnameVerifier implements HostnameVerifier {
@Override
public boolean verify(final String hostname, final SSLSession ssls) {
try {
for (final Certificate peerCertificate : ssls.getPeerCertificates()) {
if (peerCertificate instanceof X509Certificate) {
final X509Certificate x509Cert = (X509Certificate) peerCertificate;
final List<String> subjectAltNames = getSubjectAlternativeNames(x509Cert);
if (subjectAltNames.contains(hostname.toLowerCase())) {
return true;
}
}
}
} catch (final SSLPeerUnverifiedException | CertificateParsingException ex) {
LOG.warn("Hostname Verification encountered exception verifying hostname due to: " + ex, ex);
}
return false;
}
private List<String> getSubjectAlternativeNames(final X509Certificate certificate) throws CertificateParsingException {
final Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
if (altNames == null) {
return new ArrayList<>();
}
final List<String> result = new ArrayList<>();
for (final List<?> generalName : altNames) {
/**
* generalName has the name type as the first element a String or byte array for the second element. We return any general names that are String types.
*
* We don't inspect the numeric name type because some certificates incorrectly put IPs and DNS names under the wrong name types.
*/
final Object value = generalName.get(1);
if (value instanceof String) {
result.add(((String) value).toLowerCase());
}
}
return result;
}
}
}