Merge pull request #226 from Engineering-Research-and-Development/feature/certification_fixes

Feature/certification fixes

Author: IgorBalog-Eng

CHANGELOG.md

@@ -1,6 +1,22 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.14.3] - 2023-09-12
+
+### Changed
+
+ - failed login is registered in logs (UserNotFoundException)
+ - bumped spring-boot-parent to 2.5.14
+ - hardcoded not to show stack trace in response
+ - if DAPS certificate is not loaded, or certificate expired, connector will not start
+ - changed how connectorId is used - now it is single property that needs to be set (application.connectorid)
+ - if connectorId is not valid (blank) connector will not start
+
+### Added
+
+ - added Spring StrictHttpFirewall with firewall.property file; default - disabled
+ - new property application.connectorid
+ 
 ## [1.14.2] - 2023-08-01
 
 ### Changed

README.md

@@ -64,6 +64,39 @@ The ECC supports three different way to exchange data:
 *  **IDSCP2** enabled if *IDSCP2=true* and *WS_INTERNAL=false* (use https on the edge) or *IDSCP2=true* and *WS_INTERNAL=true* (use WS on the edge)
 *  **Web Socket over HTTPS** enabled if *WS_OVER_HTTPS=true* and *IDSCP2=false*
 
+## Firewall <a name="firewall"></a>
+
+Execution Core Container allows setting up HttpFirewall through Spring Security. To turn it on/off, please take a look at following property: 
+
+```
+#Firewall
+application.firewall.isEnabled=true
+```
+
+If firewall is enabled, it will read properties defined in `firewall.properties` file which easily can be modified by needs of setup.
+
+```
+#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty)
+allowedHeaderNames=
+#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
+allowedHeaderValues=
+#Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
+allowedMethods=GET,POST
+#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
+allowBackSlash=true
+#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not
+allowUrlEncodedSlash=true
+#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not
+allowUrlEncodedDoubleSlash=true
+#Set if semicolon is allowed in the URL (i.e. matrix variables)
+allowSemicolon=true
+#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not
+allowUrlEncodedPercent=true
+#if a period "." that is URL encoded "%2E" should be allowed in the path or not
+allowUrlEncodedPeriod=true
+```
+*IMPORTANT:* If you're not an expert, the strong advice is to keep values at their default values. If you decide to change values, pay special attention to allowHeaderNames and allowHeaderValues, since those set values are exclusive and considered as only values that should be present in the header.
+
 ## How to Test
 The reachability could be verified using the following endpoints:
 *  **http://{IP_ADDRESS}:{HTTP_PUBLIC_PORT}/about/version**

ci/docker/be-dataapp_resources/application-docker.properties

@@ -26,6 +26,9 @@ application.extractPayloadFromResponse=${EXTRACT_PAYLOAD_FROM_RESPONSE}
 #Use default behavior for contract agreement, should not be used in production
 application.contract.negotiation.demo=${CONTRACT_NEGOTIATION_DEMO}
 
+#Firewall
+application.firewall.isEnabled=false
+
 #mydata or platoon
 application.usageControlVersion=platoon
 

ci/docker/be-dataapp_resources/firewall.properties

@@ -0,0 +1,18 @@
+#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty)
+allowedHeaderNames=
+#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
+allowedHeaderValues=
+#Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
+allowedMethods=GET,POST
+#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
+allowBackSlash=true
+#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not
+allowUrlEncodedSlash=true
+#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not
+allowUrlEncodedDoubleSlash=true
+#Set if semicolon is allowed in the URL (i.e. matrix variables)
+allowSemicolon=true
+#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not
+allowUrlEncodedPercent=true
+#if a period "." that is URL encoded "%2E" should be allowed in the path or not
+allowUrlEncodedPeriod=true

ci/docker/docker-compose-uc.yml

@@ -17,6 +17,7 @@ services:
       - DATA_APP_HEALTH_ENDPOINT=${PROVIDER_DATA_APP_HEALTH_ENDPOINT}
       - MULTIPART_EDGE=${PROVIDER_MULTIPART_EDGE}                     #Data APP endpoint multipart/mixed content type
       - MULTIPART_ECC=${MULTIPART_ECC}
+      - CONNECTOR_ID=${PROVIDER_ISSUER_CONNECTOR_URI}
       - IDSCP2=${IDSCP2}
       - WS_EDGE=${PROVIDER_WS_EDGE}
       - WS_ECC=${WS_ECC}
@@ -49,12 +50,19 @@ services:
     networks:
       - provider
     environment:
+      - ECC_PORT=8449
+      - ECC_SELF_DESCRIPTION_URL=${PROVIDER_ECC_SELF_DESCRIPTION_URL}
+      - KEYSTORE_NAME=${KEYSTORE_NAME}
+      - KEY_PASSWORD=${KEY_PASSWORD}
+      - KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+      - ALIAS=${ALIAS}
       - TZ=Europe/Rome
     expose:
       - "8180"
     volumes:
       - ./uc-dataapp_resources_provider:/etc
       - uc_provider_data:/data
+      - ./ecc_cert:/cert
 
   be-dataapp-provider:
     image: rdlabengpa/ids_be_data_app:develop
@@ -69,14 +77,14 @@ services:
       - ALIAS=${ALIAS}
       - ECC_HOSTNAME=ecc-provider
       - ECC_PORT=8889
-      - ECC_WSS_PORT=${ECC_PROVIDER_WSS_PORT}
       - TZ=Europe/Rome
       - ISSUER_CONNECTOR_URI=${PROVIDER_ISSUER_CONNECTOR_URI}
       - EXTRACT_PAYLOAD_FROM_RESPONSE=${EXTRACT_PAYLOAD_FROM_RESPONSE}
       - CONTRACT_NEGOTIATION_DEMO=${CONTRACT_NEGOTIATION_DEMO}
     ports:
       - "8183:8183"
-      - "9000:9000"
+    expose:
+      - "9000"
     volumes:
       - ./be-dataapp_resources:/config
       - ./be-dataapp_data_receiver:/home/nobody/data
@@ -99,6 +107,7 @@ services:
       - DATA_APP_HEALTH_ENDPOINT=${CONSUMER_DATA_APP_HEALTH_ENDPOINT}
       - MULTIPART_EDGE=${CONSUMER_MULTIPART_EDGE}                     #Data APP endpoint multipart/mixed content type
       - MULTIPART_ECC=${MULTIPART_ECC}
+      - CONNECTOR_ID=${CONSUMER_ISSUER_CONNECTOR_URI}
       - IDSCP2=${IDSCP2}
       - WS_EDGE=${CONSUMER_WS_EDGE}
       - WS_ECC=${WS_ECC}
@@ -131,12 +140,19 @@ services:
     networks:
       - consumer
     environment:
+      - ECC_PORT=8449
+      - ECC_SELF_DESCRIPTION_URL=${CONSUMER_ECC_SELF_DESCRIPTION_URL}
+      - KEYSTORE_NAME=${KEYSTORE_NAME}
+      - KEY_PASSWORD=${KEY_PASSWORD}
+      - KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+      - ALIAS=${ALIAS}
       - TZ=Europe/Rome
     expose:
       - "8280"
     volumes:
       - ./uc-dataapp_resources_consumer:/etc
       - uc_consumer_data:/data
+      - ./ecc_cert:/cert
 
   be-dataapp-consumer:
     image: rdlabengpa/ids_be_data_app:develop
@@ -151,14 +167,14 @@ services:
       - ALIAS=${ALIAS}
       - ECC_HOSTNAME=ecc-consumer
       - ECC_PORT=8887
-      - ECC_WSS_PORT=${ECC_CONSUMER_WSS_PORT}
       - TZ=Europe/Rome
       - ISSUER_CONNECTOR_URI=${CONSUMER_ISSUER_CONNECTOR_URI}
       - EXTRACT_PAYLOAD_FROM_RESPONSE=${EXTRACT_PAYLOAD_FROM_RESPONSE}
       - CONTRACT_NEGOTIATION_DEMO=${CONTRACT_NEGOTIATION_DEMO}
     ports:
       - "8185:8183"
-      - "9001:9000"
+    expose:
+      - "9000"
     volumes:
       - ./be-dataapp_resources:/config
       - be-dataapp_data_sender:/home/nobody/data

ci/docker/docker-compose.yml

@@ -17,6 +17,7 @@ services:
       - DATA_APP_HEALTH_ENDPOINT=${PROVIDER_DATA_APP_HEALTH_ENDPOINT}
       - MULTIPART_EDGE=${PROVIDER_MULTIPART_EDGE}                     #Data APP endpoint multipart/mixed content type
       - MULTIPART_ECC=${MULTIPART_ECC}
+      - CONNECTOR_ID=${PROVIDER_ISSUER_CONNECTOR_URI}
       - IDSCP2=${IDSCP2}
       - WS_EDGE=${PROVIDER_WS_EDGE}
       - WS_ECC=${WS_ECC}
@@ -63,7 +64,8 @@ services:
       - CONTRACT_NEGOTIATION_DEMO=${CONTRACT_NEGOTIATION_DEMO}
     ports:
       - "8183:8183"
-      - "9000:9000"
+    expose:
+      - "9000"
     volumes:
       - ./be-dataapp_resources:/config
       - ./be-dataapp_data_receiver:/home/nobody/data
@@ -86,6 +88,7 @@ services:
       - DATA_APP_HEALTH_ENDPOINT=${CONSUMER_DATA_APP_HEALTH_ENDPOINT}
       - MULTIPART_EDGE=${CONSUMER_MULTIPART_EDGE}                     #Data APP endpoint multipart/mixed content type
       - MULTIPART_ECC=${MULTIPART_ECC}
+      - CONNECTOR_ID=${CONSUMER_ISSUER_CONNECTOR_URI}
       - IDSCP2=${IDSCP2}
       - WS_EDGE=${CONSUMER_WS_EDGE}
       - WS_ECC=${WS_ECC}
@@ -132,7 +135,8 @@ services:
       - CONTRACT_NEGOTIATION_DEMO=${CONTRACT_NEGOTIATION_DEMO}
     ports:
       - "8185:8183"
-      - "9001:9000"
+    expose:
+      - "9000"
     volumes:
       - ./be-dataapp_resources:/config
       - be-dataapp_data_sender:/home/nobody/data

ci/docker/ecc_resources_consumer/application-docker.properties

@@ -83,6 +83,9 @@ application.encodeDecodePayload=false
 application.selfdescription.registrateOnStartup=false
 application.selfdescription.brokerURL=${BROKER_URL}
 
+#Firewall
+application.firewall.isEnabled=true
+
 ### Clearng-House
 application.clearinghouse.isEnabledClearingHouse=false
 application.clearinghouse.username=
@@ -92,10 +95,8 @@ application.clearinghouse.baseUrl=${CLEARING_HOUSE}
 application.clearinghouse.logEndpoint=/messages/log/
 application.clearinghouse.processEndpoint=/process/
 
-#Connector URIs
-application.uriSchema=http
-application.uriAuthority=//w3id.org/engrd
-application.uriConnector=/connector/
+#Connector ID
+application.connectorid=${CONNECTOR_ID}
 
 #IDSCP2 enabled
 application.idscp2.isEnabled=${IDSCP2}
@@ -182,7 +183,7 @@ application.selfdescription.description=Data Consumer Connector description
 application.selfdescription.title=Data Consumer Connector title
 application.selfdescription.curator=http://consumer.curatorURI.com
 application.selfdescription.maintainer=http://consumer.maintainerURI.com
-application.selfdescription.filelocation=/
+application.selfdescription.filelocation=/home/nobody/data/sd
 application.selfdescription.inboundModelVersion=4.0.0,4.1.0,4.1.2,4.2.0,4.2.1,4.2.2,4.2.3,4.2.4,4.2.5,4.2.6,4.2.7
 
 #For logging the response over WSS set to DEBUG, else leave empty

ci/docker/ecc_resources_consumer/firewall.properties

@@ -0,0 +1,18 @@
+#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty)
+allowedHeaderNames=
+#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
+allowedHeaderValues=
+#Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
+allowedMethods=GET,POST
+#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
+allowBackSlash=true
+#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not
+allowUrlEncodedSlash=true
+#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not
+allowUrlEncodedDoubleSlash=true
+#Set if semicolon is allowed in the URL (i.e. matrix variables)
+allowSemicolon=true
+#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not
+allowUrlEncodedPercent=true
+#if a period "." that is URL encoded "%2E" should be allowed in the path or not
+allowUrlEncodedPeriod=true

ci/docker/ecc_resources_provider/application-docker.properties

@@ -83,6 +83,9 @@ application.encodeDecodePayload=false
 application.selfdescription.registrateOnStartup=false
 application.selfdescription.brokerURL=${BROKER_URL}
 
+#Firewall
+application.firewall.isEnabled=true
+
 ### Clearng-House
 application.clearinghouse.isEnabledClearingHouse=false
 application.clearinghouse.username=
@@ -92,10 +95,8 @@ application.clearinghouse.baseUrl=${CLEARING_HOUSE}
 application.clearinghouse.logEndpoint=/messages/log/
 application.clearinghouse.processEndpoint=/process/
 
-#Connector URIs
-application.uriSchema=http
-application.uriAuthority=//w3id.org/engrd
-application.uriConnector=/connector/
+#Connector ID
+application.connectorid=${CONNECTOR_ID}
 
 #IDSCP2 enabled
 application.idscp2.isEnabled=${IDSCP2}
@@ -185,7 +186,7 @@ application.selfdescription.description=Data Provider Connector description
 application.selfdescription.title=Data Provider Connector title
 application.selfdescription.curator=http://provider.curatorURI.com
 application.selfdescription.maintainer=http://provider.maintainerURI.com
-application.selfdescription.filelocation=/
+application.selfdescription.filelocation=/home/nobody/data/sd
 application.selfdescription.inboundModelVersion=4.0.0,4.1.0,4.1.2,4.2.0,4.2.1,4.2.2,4.2.3,4.2.4,4.2.5,4.2.6,4.2.7
 
 #For logging the response over WSS set to DEBUG, else leave empty

ci/docker/ecc_resources_provider/firewall.properties

@@ -0,0 +1,18 @@
+#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty)
+allowedHeaderNames=
+#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
+allowedHeaderValues=
+#Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
+allowedMethods=GET,POST
+#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
+allowBackSlash=true
+#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not
+allowUrlEncodedSlash=true
+#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not
+allowUrlEncodedDoubleSlash=true
+#Set if semicolon is allowed in the URL (i.e. matrix variables)
+allowSemicolon=true
+#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not
+allowUrlEncodedPercent=true
+#if a period "." that is URL encoded "%2E" should be allowed in the path or not
+allowUrlEncodedPeriod=true