From c9cb21301d8b44f7879ea0754ffc58eb39f8ebd7 Mon Sep 17 00:00:00 2001 From: Simon Elliston Ball Date: Thu, 23 Jun 2016 00:26:21 +0100 Subject: [PATCH 1/2] Added support for SSL connections with client authentication --- NiFiDeploy.groovy | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/NiFiDeploy.groovy b/NiFiDeploy.groovy index 8372fb8..3e4f68b 100644 --- a/NiFiDeploy.groovy +++ b/NiFiDeploy.groovy @@ -10,11 +10,13 @@ import static groovyx.net.http.ContentType.JSON import static groovyx.net.http.ContentType.URLENC import static groovyx.net.http.Method.POST - +import java.security.KeyStore +import org.apache.http.conn.scheme.Scheme +import org.apache.http.conn.ssl.SSLSocketFactory; @Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', - version='0.7.1') + version='0.7.2') @Grab(group='org.yaml', module='snakeyaml', version='1.17') @@ -40,6 +42,14 @@ cli.with { args:1, argName:'uri', type:String.class c longOpt: 'client-id', 'Client ID for API calls, any unique string (override)', args:1, argName:'id', type:String.class + k longOpt: 'keystore', 'The keystore file for ssl', + args:1, argName:'keystore', type:String.class + p longOpt: 'keypasswd', 'The password for the keystore', + args:1, argName:'keypasswd', type:String.class + u longOpt: 'truststore', 'The keystore file for ssl', + args:1, argName:'truststore', type:String.class + r longOpt: 'trustpasswd', 'The password for the truststore', + args:1, argName:'trustpasswd', type:String.class } def opts = cli.parse(args) @@ -568,6 +578,25 @@ nifiHostPort = nifiHostPort.endsWith('/') ? nifiHostPort[0..-2] : nifiHostPort assert nifiHostPort : "No NiFI REST API endpoint provided" nifi = new RESTClient("$nifiHostPort/nifi-api/") + +if (nifiHostPort.startsWith("https")) { + // add keystore + def keyStore = KeyStore.getInstance( KeyStore.defaultType ) + keyStore.load(new FileInputStream(opts.keystore), opts.keypasswd.toCharArray()) + // add trustStore + SSLSocketFactory sf; + if (opts.truststore) { + def trustStore = KeyStore.getInstance( KeyStore.defaultType ) + trustStore.load(new FileInputStream(opts.truststore), opts.trustpasswd.toCharArray()) + sf = new SSLSocketFactory(keyStore, opts.keypasswd, trustStore) + } else { + sf = new SSLSocketFactory(keyStore) + } + sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) + + nifi.client.connectionManager.schemeRegistry.register(new Scheme("https", sf, 443)) +} + nifi.handler.failure = { resp, data -> resp.setData(data?.text) println "[ERROR] HTTP call failed. Status code: $resp.statusLine: $resp.data" From 3a40dc4bc51fdda0a0823baecc49d7505e202ec4 Mon Sep 17 00:00:00 2001 From: Simon Elliston Ball Date: Tue, 5 Jul 2016 12:23:41 +0100 Subject: [PATCH 2/2] Added option to shield hostname verification Changed names of trust and keystore passwords to match nifi config properties --- NiFiDeploy.groovy | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/NiFiDeploy.groovy b/NiFiDeploy.groovy index 3e4f68b..acb3e93 100644 --- a/NiFiDeploy.groovy +++ b/NiFiDeploy.groovy @@ -48,8 +48,9 @@ cli.with { args:1, argName:'keypasswd', type:String.class u longOpt: 'truststore', 'The keystore file for ssl', args:1, argName:'truststore', type:String.class - r longOpt: 'trustpasswd', 'The password for the truststore', - args:1, argName:'trustpasswd', type:String.class + r longOpt: 'truststorePasswd', 'The password for the truststore', + args:1, argName:'truststorePasswd', type:String.class + o longOpt: 'noverify', 'Do not verify host names for SSL' } def opts = cli.parse(args) @@ -587,13 +588,14 @@ if (nifiHostPort.startsWith("https")) { SSLSocketFactory sf; if (opts.truststore) { def trustStore = KeyStore.getInstance( KeyStore.defaultType ) - trustStore.load(new FileInputStream(opts.truststore), opts.trustpasswd.toCharArray()) + trustStore.load(new FileInputStream(opts.truststore), opts.truststorePasswd.toCharArray()) sf = new SSLSocketFactory(keyStore, opts.keypasswd, trustStore) } else { sf = new SSLSocketFactory(keyStore) } - sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) - + if (opts.noverify) { + sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) + } nifi.client.connectionManager.schemeRegistry.register(new Scheme("https", sf, 443)) }