NIFI-14381: Add flow analysis rule to identify unset SSL Context Service controller services

Author: mattyb149

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/pom.xml

@@ -23,7 +23,13 @@
     <artifactId>nifi-standard-rules</artifactId>
     <packaging>jar</packaging>
 
-    <dependencies />
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.nifi</groupId>
+            <artifactId>nifi-ssl-context-service-api</artifactId>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
 
     <build>
         <plugins>

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/java/org/apache/nifi/flowanalysis/rules/RequireSecureConnection.java

@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.flowanalysis.rules;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.annotation.documentation.UseCase;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.controller.ControllerService;
+import org.apache.nifi.flow.VersionedComponent;
+import org.apache.nifi.flow.VersionedExtensionComponent;
+import org.apache.nifi.flowanalysis.AbstractFlowAnalysisRule;
+import org.apache.nifi.flowanalysis.ComponentAnalysisResult;
+import org.apache.nifi.flowanalysis.FlowAnalysisRuleContext;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.ssl.SSLContextProvider;
+import org.apache.nifi.util.StringUtils;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+
+@Tags({"component", "processor", "controller service", "type"})
+@CapabilityDescription("Produces rule violations for each component (i.e. processors or controller services) having a property "
+        + "identifying an SSLContextService that is not set.")
+@UseCase(
+        description = "Ensure that no ports can be opened for insecure (plaintext, e.g.) communications.",
+        configuration = """
+                To avoid the violation, ensure that the "SSL Context Service" property is set for the specified component(s).
+                """
+)
+public class RequireSecureConnection extends AbstractFlowAnalysisRule {
+    public static final PropertyDescriptor COMPONENT_TYPE = new PropertyDescriptor.Builder()
+            .name("component-type")
+            .displayName("Component Type(s)")
+            .description("A comma-separated list of component types. Components of the given type that have a property identifying an SSL Context Service will produce a rule violation "
+                    + "if the service is not set. If no components are specified (i.e. this property is blank), the rule will apply to all components.")
+            .required(false)
+            .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+            .build();
+
+    private final static List<PropertyDescriptor> PROPERTY_DESCRIPTORS = List.of(
+            COMPONENT_TYPE
+    );
+
+    @Override
+    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
+        return PROPERTY_DESCRIPTORS;
+    }
+
+    @Override
+    public Collection<ComponentAnalysisResult> analyzeComponent(VersionedComponent component, FlowAnalysisRuleContext context) {
+        Collection<ComponentAnalysisResult> results = new HashSet<>();
+        Set<String> componentTypes = new LinkedHashSet<>();
+        if (context.getProperty(COMPONENT_TYPE).isSet()) {
+            String componentTypesList = context.getProperty(COMPONENT_TYPE).getValue();
+            if (componentTypesList != null) {
+                Arrays.stream(componentTypesList.split(","))
+                        .filter(StringUtils::isNotBlank)
+                        .map(String::trim)
+                        .forEach(componentTypes::add);
+            }
+        }
+
+        String componentType = context.getProperty(COMPONENT_TYPE).getValue();
+
+        if (component instanceof VersionedExtensionComponent versionedExtensionComponent) {
+
+            String encounteredComponentType = versionedExtensionComponent.getType();
+            String encounteredSimpleComponentType = encounteredComponentType.substring(encounteredComponentType.lastIndexOf(".") + 1);
+
+            if (componentTypes.isEmpty() || componentTypes.contains(encounteredComponentType) || componentType.contains(encounteredSimpleComponentType)) {
+                Set<PropertyDescriptor> propertyDescriptors = context.getProperties().keySet();
+                // Loop over the properties for this component looking for an SSLContextService
+                for (PropertyDescriptor propertyDescriptor : propertyDescriptors) {
+                    Class<? extends ControllerService> definition = propertyDescriptor.getControllerServiceDefinition();
+                    if (definition == null) {
+                        continue;
+                    }
+                    try {
+                        // Is this an SSLContextService?
+                        definition.asSubclass(SSLContextProvider.class);
+
+                        // If it is and the property value is not set, report a violation
+                        if (!context.getProperty(propertyDescriptor).isSet()) {
+                            ComponentAnalysisResult result = new ComponentAnalysisResult(
+                                    component.getInstanceIdentifier(),
+                                    "'" + componentType + "' is not allowed"
+                            );
+
+                            results.add(result);
+                        }
+                    } catch (ClassCastException cce) {
+                        // Do nothing, this is not the property we're looking for
+                        continue;
+                    }
+                }
+            }
+        }
+
+        return results;
+    }
+}

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/main/resources/META-INF/services/org.apache.nifi.flowanalysis.FlowAnalysisRule

@@ -14,5 +14,6 @@
 # limitations under the License.
 
 org.apache.nifi.flowanalysis.rules.DisallowComponentType
+org.apache.nifi.flowanalysis.rules.RequireSecureConnection
 org.apache.nifi.flowanalysis.rules.RestrictBackpressureSettings
 org.apache.nifi.flowanalysis.rules.RestrictFlowFileExpiration

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/test/java/org/apache/nifi/flowanalysis/rules/AbstractFlowAnalaysisRuleTest.java

@@ -23,7 +23,9 @@
 import org.apache.nifi.components.ValidationContext;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.flow.VersionedProcessGroup;
+import org.apache.nifi.flow.VersionedProcessor;
 import org.apache.nifi.flowanalysis.AbstractFlowAnalysisRule;
+import org.apache.nifi.flowanalysis.ComponentAnalysisResult;
 import org.apache.nifi.flowanalysis.FlowAnalysisRuleContext;
 import org.apache.nifi.flowanalysis.GroupAnalysisResult;
 import org.apache.nifi.registry.flow.RegisteredFlowSnapshot;
@@ -39,6 +41,7 @@
 import java.util.List;
 import java.util.Map;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertIterableEquals;
 import static org.mockito.ArgumentMatchers.any;
 
@@ -62,6 +65,7 @@ public abstract class AbstractFlowAnalaysisRuleTest<T extends AbstractFlowAnalys
 
     @BeforeEach
     public void setup() {
+        properties.clear();
         rule = initializeRule();
         Mockito.lenient().when(flowAnalysisRuleContext.getProperty(any())).thenAnswer(invocation -> {
             return properties.get(invocation.getArgument(0));
@@ -72,6 +76,9 @@ public void setup() {
         Mockito.lenient().when(validationContext.getProperty(any())).thenAnswer(invocation -> {
             return properties.get(invocation.getArgument(0));
         });
+        Mockito.lenient().when(flowAnalysisRuleContext.getProperties()).thenAnswer(invocation -> {
+            return properties;
+        });
     }
 
     protected void setProperty(PropertyDescriptor propertyDescriptor, String value) {
@@ -87,4 +94,22 @@ protected void testAnalyzeProcessGroup(String flowDefinition, List<String> expec
         final Collection<GroupAnalysisResult> actual = rule.analyzeProcessGroup(getProcessGroup(flowDefinition), flowAnalysisRuleContext);
         assertIterableEquals(expected, actual.stream().map(r -> r.getComponent().get().getInstanceIdentifier()).sorted().toList());
     }
+
+
+    protected void testAnalyzeProcessors(String flowDefinition, List<ComponentAnalysisResult> expected) throws Exception {
+        VersionedProcessGroup rootPG = getProcessGroup(flowDefinition);
+        for (VersionedProcessor processor : rootPG.getProcessors()) {
+            final Collection<ComponentAnalysisResult> actual = rule.analyzeComponent(processor, flowAnalysisRuleContext);
+            final int expectedSize = (expected == null) ? 0 : expected.size();
+            final int actualSize = (actual == null) ? 0 : actual.size();
+            assertEquals(expectedSize, actualSize);
+            if (actualSize > 0) {
+                final ComponentAnalysisResult[] actualArray = actual.toArray(new ComponentAnalysisResult[actualSize]);
+
+                for (int i = 0; i < expectedSize; i++) {
+                    assertEquals(expected.get(i).getIssueId(), actualArray[i].getIssueId());
+                }
+            }
+        }
+    }
 }

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/test/java/org/apache/nifi/flowanalysis/rules/RequireSecureConnectionTest.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.flowanalysis.rules;
+
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.flowanalysis.ComponentAnalysisResult;
+import org.apache.nifi.ssl.SSLContextProvider;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+public class RequireSecureConnectionTest extends AbstractFlowAnalaysisRuleTest<RequireSecureConnection> {
+
+    public static final PropertyDescriptor SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
+            .name("SSL Context Service")
+            .description("SSL Context Service enables support for HTTPS")
+            .required(false)
+            .identifiesControllerService(SSLContextProvider.class)
+            .build();
+    @Override
+    protected RequireSecureConnection initializeRule() {
+        return new RequireSecureConnection();
+    }
+
+    @BeforeEach
+    @Override
+    public void setup() {
+        super.setup();
+        setProperty(RequireSecureConnection.COMPONENT_TYPE, "ListenHTTP");
+    }
+    @Test
+    public void testNoViolations() throws Exception {
+        setProperty(SSL_CONTEXT_SERVICE, "9c50e433-c2aa-3d19-aae6-20299f4ac38c");
+        testAnalyzeProcessors(
+                "src/test/resources/RequireSecureConnection/RequireSecureConnection_noViolation.json",
+                List.of()
+        );
+    }
+
+    @Test
+    public void testViolations() throws Exception {
+        setProperty(SSL_CONTEXT_SERVICE, null);
+
+        ComponentAnalysisResult expectedResult = new ComponentAnalysisResult("b5734be4-0195-1000-0e75-bc0f150d06bd", "'ListenHTTP' is not allowed");
+        testAnalyzeProcessors(
+                "src/test/resources/RequireSecureConnection/RequireSecureConnection.json",
+                List.of(
+                        expectedResult  // processor ListenHttp with no SSLContextService set
+                )
+        );
+    }
+}

nifi-extension-bundles/nifi-standard-bundle/nifi-standard-rules/src/test/resources/RequireSecureConnection/RequireSecureConnection.json

@@ -0,0 +1 @@
+{"flowContents":{"identifier":"5d78473b-43d3-33b6-beed-83d2ae71a73d","instanceIdentifier":"b56b0714-0195-1000-2a87-e8aa1ca3849f","name":"NiFi Flow","comments":"","position":{"x":0.0,"y":0.0},"processGroups":[],"remoteProcessGroups":[],"processors":[{"identifier":"da98e020-2712-38fa-b2c9-88e0d3bb25b8","instanceIdentifier":"b5734be4-0195-1000-0e75-bc0f150d06bd","name":"ListenHTTP","comments":"","position":{"x":-51.5,"y":-241.0},"type":"org.apache.nifi.processors.standard.ListenHTTP","bundle":{"group":"org.apache.nifi","artifact":"nifi-standard-nar","version":"2.0.0.4.0.0.0-383"},"properties":{"authorized-issuer-dn-pattern":".*","multipart-request-max-size":"1 MB","record-writer":null,"Request Header Maximum Size":"8 KB","HTTP Protocols":"HTTP_1_1","HTTP Headers to receive as Attributes (Regex)":null,"health-check-port":null,"Authorized DN Pattern":".*","max-thread-pool-size":"200","Base Path":"contentListener","multipart-read-buffer-size":"512 KB","SSL Context Service":null,"Max Unconfirmed Flowfile Time":"60 secs","Max Data to Receive per Second":null,"client-authentication":"AUTO","Return Code":"200","record-reader":null,"Listening Port":"8080"},"propertyDescriptors":{"authorized-issuer-dn-pattern":{"name":"authorized-issuer-dn-pattern","displayName":"Authorized Issuer DN Pattern","identifiesControllerService":false,"sensitive":false,"dynamic":false},"multipart-request-max-size":{"name":"multipart-request-max-size","displayName":"Multipart Request Max Size","identifiesControllerService":false,"sensitive":false,"dynamic":false},"record-writer":{"name":"record-writer","displayName":"Record Writer","identifiesControllerService":true,"sensitive":false,"dynamic":false},"Request Header Maximum Size":{"name":"Request Header Maximum Size","displayName":"Request Header Maximum Size","identifiesControllerService":false,"sensitive":false,"dynamic":false},"HTTP Protocols":{"name":"HTTP Protocols","displayName":"HTTP Protocols","identifiesControllerService":false,"sensitive":false,"dynamic":false},"HTTP Headers to receive as Attributes (Regex)":{"name":"HTTP Headers to receive as Attributes (Regex)","displayName":"HTTP Headers to receive as Attributes (Regex)","identifiesControllerService":false,"sensitive":false,"dynamic":false},"health-check-port":{"name":"health-check-port","displayName":"Listening Port for Health Check Requests","identifiesControllerService":false,"sensitive":false,"dynamic":false},"Authorized DN Pattern":{"name":"Authorized DN Pattern","displayName":"Authorized Subject DN Pattern","identifiesControllerService":false,"sensitive":false,"dynamic":false},"max-thread-pool-size":{"name":"max-thread-pool-size","displayName":"Maximum Thread Pool Size","identifiesControllerService":false,"sensitive":false,"dynamic":false},"Base Path":{"name":"Base Path","displayName":"Base Path","identifiesControllerService":false,"sensitive":false,"dynamic":false},"multipart-read-buffer-size":{"name":"multipart-read-buffer-size","displayName":"Multipart Read Buffer Size","identifiesControllerService":false,"sensitive":false,"dynamic":false},"SSL Context Service":{"name":"SSL Context Service","displayName":"SSL Context Service","identifiesControllerService":true,"sensitive":false,"dynamic":false},"Max Unconfirmed Flowfile Time":{"name":"Max Unconfirmed Flowfile Time","displayName":"Max Unconfirmed Flowfile Time","identifiesControllerService":false,"sensitive":false,"dynamic":false},"Max Data to Receive per Second":{"name":"Max Data to Receive per Second","displayName":"Max Data to Receive per Second","identifiesControllerService":false,"sensitive":false,"dynamic":false},"client-authentication":{"name":"client-authentication","displayName":"Client Authentication","identifiesControllerService":false,"sensitive":false,"dynamic":false},"Return Code":{"name":"Return Code","displayName":"Return Code","identifiesControllerService":false,"sensitive":false,"dynamic":false},"record-reader":{"name":"record-reader","displayName":"Record Reader","identifiesControllerService":true,"sensitive":false,"dynamic":false},"Listening Port":{"name":"Listening Port","displayName":"Listening Port","identifiesControllerService":false,"sensitive":false,"dynamic":false}},"style":{},"schedulingPeriod":"0 sec","schedulingStrategy":"TIMER_DRIVEN","executionNode":"ALL","penaltyDuration":"30 sec","yieldDuration":"1 sec","bulletinLevel":"WARN","runDurationMillis":0,"concurrentlySchedulableTaskCount":1,"autoTerminatedRelationships":["success"],"scheduledState":"ENABLED","retryCount":10,"retriedRelationships":["success"],"backoffMechanism":"PENALIZE_FLOWFILE","maxBackoffPeriod":"10 mins","componentType":"PROCESSOR","groupIdentifier":"5d78473b-43d3-33b6-beed-83d2ae71a73d"}],"inputPorts":[],"outputPorts":[],"connections":[],"labels":[],"funnels":[],"controllerServices":[],"defaultFlowFileExpiration":"0 sec","defaultBackPressureObjectThreshold":10000,"defaultBackPressureDataSizeThreshold":"1 GB","scheduledState":"ENABLED","executionEngine":"INHERITED","maxConcurrentTasks":1,"statelessFlowTimeout":"1 min","componentType":"PROCESS_GROUP","flowFileConcurrency":"UNBOUNDED","flowFileOutboundPolicy":"STREAM_WHEN_AVAILABLE"},"externalControllerServices":{},"parameterContexts":{},"flowEncodingVersion":"1.0","parameterProviders":{},"latest":false}