NIFI-14381: Incorporate review comments, refactored SSL Context identification

Author: mattyb149

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/pom.xml

@@ -27,7 +27,7 @@
         <dependency>
             <groupId>org.apache.nifi</groupId>
             <artifactId>nifi-ssl-context-service-api</artifactId>
-            <scope>compile</scope>
+            <scope>test</scope>
         </dependency>
     </dependencies>
 

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/java/org/apache/nifi/flowanalysis/rules/RequireCustomSSLContext.java

@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.flowanalysis.rules;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.annotation.documentation.UseCase;
+import org.apache.nifi.flow.VersionedComponent;
+import org.apache.nifi.flow.VersionedConfigurableExtension;
+import org.apache.nifi.flowanalysis.AbstractFlowAnalysisRule;
+import org.apache.nifi.flowanalysis.ComponentAnalysisResult;
+import org.apache.nifi.flowanalysis.FlowAnalysisRuleContext;
+import org.apache.nifi.util.StringUtils;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+
+
+@Tags({"component", "processor", "controller service", "type", "ssl", "tls", "listen"})
+@CapabilityDescription("Produces rule violations for each component (i.e. processors or controller services) having a property "
+        + "identifying an SSLContextService that is not set.")
+@UseCase(
+        description = "Ensure that an SSL Context has been configured for the specified components. This helps avoid ports being opened for insecure (plaintext, e.g.) communications.",
+        configuration = """
+                To avoid the violation, ensure that the "SSL Context Service" property is set for the specified component(s).
+                """
+)
+public class RequireCustomSSLContext extends AbstractFlowAnalysisRule {
+
+    private final List<String> componentTypes = List.of(
+            "ListenFTP",
+            "ListenHTTP",
+            "ListenTCP",
+            "ListenOLTP",
+            "ListenSyslog",
+            "HandleHttpRequest",
+            "JettyWebSocketServer"
+    );
+
+    @Override
+    public Collection<ComponentAnalysisResult> analyzeComponent(VersionedComponent component, FlowAnalysisRuleContext context) {
+        Collection<ComponentAnalysisResult> results = new HashSet<>();
+
+        if (component instanceof VersionedConfigurableExtension versionedConfigurableExtension) {
+
+            String encounteredComponentType = versionedConfigurableExtension.getType();
+            String encounteredSimpleComponentType = encounteredComponentType.substring(encounteredComponentType.lastIndexOf(".") + 1);
+
+            if (componentTypes.isEmpty() || componentTypes.contains(encounteredComponentType) || componentTypes.contains(encounteredSimpleComponentType)) {
+                // Loop over the properties for this component looking for an SSLContextService
+                versionedConfigurableExtension.getProperties().forEach((propertyName, propertyValue) -> {
+
+                    // If the SSL Context property exists and the value is not set, report a violation
+                    if (("SSL Context Service".equalsIgnoreCase(propertyName) || "ssl-context-service".equalsIgnoreCase(propertyName)) &&
+                            StringUtils.isEmpty(propertyValue)) {
+                        ComponentAnalysisResult result = new ComponentAnalysisResult(
+                                component.getInstanceIdentifier(),
+                                "'" + encounteredSimpleComponentType + "' must specify an SSL Context Service"
+                        );
+
+                        results.add(result);
+
+                    }
+                });
+            }
+        }
+        return results;
+    }
+}

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/java/org/apache/nifi/flowanalysis/rules/RequireSecureConnection.java

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 org.apache.nifi.flowanalysis.rules.DisallowComponentType
-org.apache.nifi.flowanalysis.rules.RequireSecureConnection
+org.apache.nifi.flowanalysis.rules.RequireCustomSSLContext
 org.apache.nifi.flowanalysis.rules.RestrictBackpressureSettings
 org.apache.nifi.flowanalysis.rules.RestrictFlowFileExpiration

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/resources/META-INF/services/org.apache.nifi.flowanalysis.FlowAnalysisRule

@@ -0,0 +1,28 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+# RequireCustomSSLContext
+
+## Usage Information
+
+This rule should be applied to prevent flow designers from opening ports for insecure connections. The list of components to which this rule applies is as follows:
+
+- **ListenFTP**
+- **ListenHTTP**
+- **ListenTCP**
+- **ListenOLTP**
+- **ListenSyslog**
+- **HandleHttpRequest**
+- **JettyWebSocketServer**

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/resources/docs/org.apache.nifi.flowanalysis.rules.RequireCustomSSLContext/additionalDetails.md

@@ -19,12 +19,11 @@
 import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.flowanalysis.ComponentAnalysisResult;
 import org.apache.nifi.ssl.SSLContextProvider;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.util.List;
 
-public class RequireSecureConnectionTest extends AbstractFlowAnalaysisRuleTest<RequireSecureConnection> {
+public class RequireCustomSSLContextTest extends AbstractFlowAnalaysisRuleTest<RequireCustomSSLContext> {
 
     public static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
             .name("SSL Context Service")
@@ -33,21 +32,15 @@ public class RequireSecureConnectionTest extends AbstractFlowAnalaysisRuleTest<R
             .identifiesControllerService(SSLContextProvider.class)
             .build();
     @Override
-    protected RequireSecureConnection initializeRule() {
-        return new RequireSecureConnection();
+    protected RequireCustomSSLContext initializeRule() {
+        return new RequireCustomSSLContext();
     }
 
-    @BeforeEach
-    @Override
-    public void setup() {
-        super.setup();
-        setProperty(RequireSecureConnection.COMPONENT_TYPE, "ListenHTTP");
-    }
     @Test
     public void testNoViolations() throws Exception {
         setProperty(SSL_CONTEXT_SERVICE, "9c50e433-c2aa-3d19-aae6-20299f4ac38c");
         testAnalyzeProcessors(
-                "src/test/resources/RequireSecureConnection/RequireSecureConnection_noViolation.json",
+                "src/test/resources/RequireCustomSSLContext/RequireSecureConnection_noViolation.json",
                 List.of()
         );
     }
@@ -58,7 +51,7 @@ public void testViolations() throws Exception {
 
         ComponentAnalysisResult expectedResult = new ComponentAnalysisResult("b5734be4-0195-1000-0e75-bc0f150d06bd", "'ListenHTTP' is not allowed");
         testAnalyzeProcessors(
-                "src/test/resources/RequireSecureConnection/RequireSecureConnection.json",
+                "src/test/resources/RequireCustomSSLContext/RequireCustomSSLContext.json",
                 List.of(
                         expectedResult  // processor ListenHttp with no SSLContextService set
                 )