apache · bbende · Apr 27, 2021 · Apr 21, 2021 · Apr 23, 2021
diff --git a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/RunNiFi.java
@@ -16,6 +16,14 @@
  */
 package org.apache.nifi.bootstrap;
 
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.bootstrap.notification.NotificationType;
+import org.apache.nifi.bootstrap.util.OSUtils;
+import org.apache.nifi.bootstrap.util.SecureNiFiConfigUtil;
+import org.apache.nifi.util.file.FileUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.io.BufferedReader;
 import java.io.BufferedWriter;
 import java.io.File;
@@ -60,12 +68,6 @@
 import java.util.concurrent.locks.Condition;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.nifi.bootstrap.notification.NotificationType;
-import org.apache.nifi.bootstrap.util.OSUtils;
-import org.apache.nifi.util.file.FileUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * <p>
@@ -1110,6 +1112,12 @@ public boolean accept(final File dir, final String filename) {
             }
         }
 
+        try {
+            SecureNiFiConfigUtil.configureSecureNiFiProperties(nifiPropsFilename, cmdLogger);
+        } catch (IOException | RuntimeException e) {
+            cmdLogger.error("Self-Signed Certificate Generation Failed", e);
+        }
+
         final NiFiListener listener = new NiFiListener();
         final int listenPort = listener.start(this);
 

diff --git a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.java b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.java
@@ -0,0 +1,197 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.bootstrap.util;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.security.util.KeyStoreUtils;
+import org.apache.nifi.security.util.StandardTlsConfiguration;
+import org.apache.nifi.security.util.TlsConfiguration;
+import org.apache.nifi.util.NiFiProperties;
+import org.bouncycastle.util.IPAddress;
+import org.slf4j.Logger;
+
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.security.GeneralSecurityException;
+import java.time.LocalDate;
+import java.time.temporal.ChronoUnit;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+public class SecureNiFiConfigUtil {
+
+    private static final int CERT_DURATION_DAYS = 60;
+    private static final String LOCALHOST_NAME = "localhost";
+    private static final String PROPERTY_VALUE_PATTERN = "%s=%s";
+
+    private SecureNiFiConfigUtil() {
+
+    }
+
+    private static boolean fileExists(String filename) {
+        return StringUtils.isNotEmpty(filename) && Paths.get(filename).toFile().exists();
+    }
+
+    private static boolean isHttpsSecurityConfigured(final Properties nifiProperties) {
+        if (StringUtils.isEmpty(nifiProperties.getProperty(NiFiProperties.WEB_HTTPS_PORT, StringUtils.EMPTY))) {
+            return false;
+        }
+
+        String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
+        String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
+        if (StringUtils.isEmpty(keystorePath) || StringUtils.isEmpty(truststorePath)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * If HTTPS is enabled (nifi.web.https.port is set), but the keystore file specified in nifi.security.keystore
+     * does not exist, this will generate a key pair and self-signed certificate, generate the associated keystore
+     * and truststore and write them to disk under the configured filepaths, generate a secure random keystore password
+     * and truststore password, and write these to the nifi.properties file.
+     * @param nifiPropertiesFilename The filename of the nifi.properties file
+     * @param cmdLogger The bootstrap logger
+     * @throws IOException can be thrown when writing keystores to disk
+     * @throws RuntimeException indicates a security exception while generating keystores
+     */
+    public static void configureSecureNiFiProperties(String nifiPropertiesFilename, Logger cmdLogger) throws IOException, RuntimeException {
+        final File propertiesFile = new File(nifiPropertiesFilename);
+        final Properties nifiProperties = loadProperties(propertiesFile);
+
+        if (!isHttpsSecurityConfigured(nifiProperties)) {
+            cmdLogger.debug("No HTTPS configuration detected: skipping Apache Nifi certificate generation.");
+            return;
+        }
+
+        String keystorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_KEYSTORE, StringUtils.EMPTY);
+        String truststorePath = nifiProperties.getProperty(NiFiProperties.SECURITY_TRUSTSTORE, StringUtils.EMPTY);
+        boolean keystoreExists = fileExists(keystorePath);
+        boolean truststoreExists = fileExists(truststorePath);
+
+        if (!keystoreExists && !truststoreExists) {
+            TlsConfiguration tlsConfiguration = null;
+            cmdLogger.info("Generating Self-Signed Certificate: Expires on {}", LocalDate.now().plus(CERT_DURATION_DAYS, ChronoUnit.DAYS));
+            try {
+                String[] subjectAlternativeNames = getSubjectAlternativeNames(nifiProperties, cmdLogger);
+                tlsConfiguration = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(StandardTlsConfiguration
+                        .fromNiFiProperties(nifiProperties), CERT_DURATION_DAYS, subjectAlternativeNames);
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException(e);
+            }
+
+            // Move over the new stores from temp dir
+            Files.move(Paths.get(tlsConfiguration.getKeystorePath()), Paths.get(keystorePath),
+                    StandardCopyOption.REPLACE_EXISTING);
+            Files.move(Paths.get(tlsConfiguration.getTruststorePath()), Paths.get(truststorePath),
+                    StandardCopyOption.REPLACE_EXISTING);
+
+            updateProperties(propertiesFile, tlsConfiguration);
+
+            cmdLogger.debug("Generated Keystore [{}] Truststore [{}]", keystorePath, truststorePath);
+        } else if (!keystoreExists && truststoreExists) {
+            cmdLogger.warn("Truststore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.",
+                    truststorePath);
+        } else if (keystoreExists && !truststoreExists) {
+            cmdLogger.warn("Keystore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.",
+                    keystorePath);
+        }
+    }
+
+    /**
+     * Attempts to add some reasonable guesses at desired SAN values that can be added to the generated
+     * certificate.
+     * @param nifiProperties The nifi.properties
+     * @return A Pair with IP SANs on the left and DNS SANs on the right
+     */
+    private static String[] getSubjectAlternativeNames(Properties nifiProperties, Logger cmdLogger) {
+        Set<String> dnsSubjectAlternativeNames = new HashSet<>();
+
+        try {
+            dnsSubjectAlternativeNames.add(InetAddress.getLocalHost().getHostName());
+        } catch (UnknownHostException e) {
+            cmdLogger.debug("Could not add localhost hostname as certificate SAN", e);
+        }
+        addSubjectAlternativeName(nifiProperties, NiFiProperties.REMOTE_INPUT_HOST, dnsSubjectAlternativeNames);
+        addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_HTTPS_HOST, dnsSubjectAlternativeNames);
+        addSubjectAlternativeName(nifiProperties, NiFiProperties.WEB_PROXY_HOST, dnsSubjectAlternativeNames);
+        addSubjectAlternativeName(nifiProperties, NiFiProperties.LOAD_BALANCE_ADDRESS, dnsSubjectAlternativeNames);
+
+        // Not necessary to add as a SAN
+        dnsSubjectAlternativeNames.remove(LOCALHOST_NAME);
+
+        return dnsSubjectAlternativeNames.toArray(new String[dnsSubjectAlternativeNames.size()]);
+    }
+
+    private static void addSubjectAlternativeName(Properties nifiProperties, String propertyName,
+                                                  Set<String> dnsSubjectAlternativeNames) {
+        String hostValue = nifiProperties.getProperty(propertyName, StringUtils.EMPTY);
+        if (!hostValue.isEmpty()) {
+            if (!IPAddress.isValid(hostValue)) {
+                dnsSubjectAlternativeNames.add(hostValue);
+            }
+        }
+    }
+
+    private static String getPropertyLine(String name, String value) {
+        return String.format(PROPERTY_VALUE_PATTERN, name, value);
+    }
+
+    private static void updateProperties(final File propertiesFile, final TlsConfiguration tlsConfiguration) throws IOException {
+        final Path propertiesFilePath = propertiesFile.toPath();
+        final List<String> lines = Files.readAllLines(propertiesFilePath);
+        final List<String> updatedLines = lines.stream().map(line -> {
+            if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_PASSWD)) {
+                return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_PASSWD, tlsConfiguration.getKeystorePassword());
+            } else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD)) {
+                return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD, tlsConfiguration.getTruststorePassword());
+            } else if (line.startsWith(NiFiProperties.SECURITY_KEY_PASSWD)) {
+                return getPropertyLine(NiFiProperties.SECURITY_KEY_PASSWD, tlsConfiguration.getKeystorePassword());
+            } else if (line.startsWith(NiFiProperties.SECURITY_KEYSTORE_TYPE)) {
+                return getPropertyLine(NiFiProperties.SECURITY_KEYSTORE_TYPE, tlsConfiguration.getKeystoreType().getType());
+            } else if (line.startsWith(NiFiProperties.SECURITY_TRUSTSTORE_TYPE)) {
+                return getPropertyLine(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, tlsConfiguration.getTruststoreType().getType());
+            } else {
+                return line;
+            }
+        }).collect(Collectors.toList());
+        Files.write(propertiesFilePath, updatedLines);
+    }
+
+    private static Properties loadProperties(final File propertiesFile) {
+        final Properties properties = new Properties();
+        try (final FileReader reader = new FileReader(propertiesFile)) {
+            properties.load(reader);
+        } catch (final IOException e) {
+            final String message = String.format("Failed to read NiFi Properties [%s]", propertiesFile);
+            throw new UncheckedIOException(message, e);
+        }
+        return properties;
+    }
+}