feat: Introduce "minimum supported Client version" configuration parameter for Server Proxy

src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/InitializationServiceImpl.java

@@ -135,7 +135,6 @@ public void initialize(InitialServerConfDto configDto) {
             tokenPinValidator.validateSoftwareTokenPin(configDto.getSoftwareTokenPin().toCharArray());
         }
 
-
         if (!isServerAddressInitialized) {
             systemParameterService.updateOrCreateParameter(
                     SystemParameterService.CENTRAL_SERVER_ADDRESS,

src/common/common-util/src/main/java/ee/ria/xroad/common/ErrorCodes.java

@@ -126,6 +126,7 @@ public final class ErrorCodes {
     public static final String X_INVALID_CLIENT_IDENTIFIER =
             "InvalidClientIdentifier";
     public static final String X_INVALID_SERVICE_TYPE = "ServiceType";
+    public static final String X_CLIENT_PROXY_VERSION_NOT_SUPPORTED = "ClientProxyVersionNotSupported";
 
     // ASiC container related errors
 

src/common/common-util/src/main/java/ee/ria/xroad/common/SystemProperties.java

@@ -213,6 +213,10 @@ private SystemProperties() {
     private static final String SERVERPROXY_CONNECTOR_SO_LINGER =
             PREFIX + "proxy.server-connector-so-linger";
 
+    /** Property name of the server's minimum supported client version */
+    private static final String SERVERPROXY_MIN_SUPPORTED_CLIENT_VERSION =
+            PREFIX + "proxy.server-min-supported-client-version";
+
     private static final String SERVERPROXY_SUPPORT_CLIENTS_POOLED_CONNECTIONS =
             PREFIX + "proxy.server-support-clients-pooled-connections";
 
@@ -1376,7 +1380,7 @@ public static String[] getXroadTLSCipherSuites() {
      * @return true if PIN policy should be enforced.
      */
     public static boolean shouldEnforceTokenPinPolicy() {
-        return Boolean.valueOf(System.getProperty(SIGNER_ENFORCE_TOKEN_PIN_POLICY,
+        return Boolean.parseBoolean(System.getProperty(SIGNER_ENFORCE_TOKEN_PIN_POLICY,
                 DEFAULT_SIGNER_ENFORCE_TOKEN_PIN_POLICY));
     }
 
@@ -1411,7 +1415,6 @@ public static long getServerProxyConnectorInitialIdleTime() {
     public static int getServerProxyConnectorMaxIdleTime() {
         return Integer.parseInt(System.getProperty(SERVERPROXY_CONNECTOR_MAX_IDLE_TIME,
                 DEFAULT_SERVERPROXY_CONNECTOR_MAX_IDLE_TIME));
-
     }
 
     /**
@@ -1426,6 +1429,10 @@ public static int getServerProxyConnectorSoLinger() {
         return -1;
     }
 
+    public static String getServerProxyMinSupportedClientVersion() {
+        return System.getProperty(SERVERPROXY_MIN_SUPPORTED_CLIENT_VERSION);
+    }
+
     /**
      * @return the connection maximum idle time that should be set for client proxy apache HttpClient
      */

src/proxy/build.gradle

@@ -15,6 +15,8 @@ dependencies {
 
     implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml"
 
+    implementation 'org.semver4j:semver4j:5.0.0'
+
     testImplementation project(':common:common-test')
     testImplementation project(path: ':common:common-util', configuration: 'testArtifacts')
 

src/proxy/src/main/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandler.java

@@ -42,6 +42,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.client.HttpClient;
 import org.eclipse.jetty.server.Request;
+import org.semver4j.Semver;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -50,8 +51,10 @@
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.Date;
+import java.util.Optional;
 
 import static ee.ria.xroad.common.ErrorCodes.SERVER_SERVERPROXY_X;
+import static ee.ria.xroad.common.ErrorCodes.X_CLIENT_PROXY_VERSION_NOT_SUPPORTED;
 import static ee.ria.xroad.common.ErrorCodes.X_INVALID_HTTP_METHOD;
 import static ee.ria.xroad.common.ErrorCodes.translateWithPrefix;
 import static ee.ria.xroad.common.opmonitoring.OpMonitoringData.SecurityServerType.PRODUCER;
@@ -63,11 +66,18 @@
 class ServerProxyHandler extends HandlerBase {
 
     private static final String UNKNOWN_VERSION = "unknown";
+    private static final Semver MIN_SUPPORTED_CLIENT_VERSION;
 
     private final HttpClient client;
     private final HttpClient opMonitorClient;
     private final long idleTimeout = SystemProperties.getServerProxyConnectorMaxIdleTime();
 
+    static {
+        MIN_SUPPORTED_CLIENT_VERSION = Optional.ofNullable(SystemProperties.getServerProxyMinSupportedClientVersion())
+                .map(Semver::new)
+                .orElse(null);
+    }
+
     ServerProxyHandler(HttpClient client, HttpClient opMonitorClient) {
         this.client = client;
         this.opMonitorClient = opMonitorClient;
@@ -93,7 +103,7 @@ public void handle(String target, Request baseRequest, final HttpServletRequest
 
             GlobalConf.verifyValidity();
 
-            logProxyVersion(request);
+            checkClientProxyVersion(request);
             baseRequest.getHttpChannel().setIdleTimeout(idleTimeout);
             final MessageProcessorBase processor = createRequestProcessor(request, response, opMonitoringData);
             processor.process();
@@ -124,7 +134,7 @@ public void handle(String target, Request baseRequest, final HttpServletRequest
     }
 
     private MessageProcessorBase createRequestProcessor(HttpServletRequest request, HttpServletResponse response,
-            OpMonitoringData opMonitoringData) throws Exception {
+            OpMonitoringData opMonitoringData) {
 
         if (VALUE_MESSAGE_TYPE_REST.equals(request.getHeader(HEADER_MESSAGE_TYPE))) {
             return new ServerRestMessageProcessor(request, response, client, getClientSslCertChain(request),
@@ -142,23 +152,27 @@ protected void failure(HttpServletRequest request, HttpServletResponse response,
         sendErrorResponse(request, response, e);
     }
 
-    private static void logProxyVersion(HttpServletRequest request) {
-        String thatVersion = getVersion(request.getHeader(MimeUtils.HEADER_PROXY_VERSION));
+    private static void checkClientProxyVersion(HttpServletRequest request) {
+        String clientVersion = getVersion(request.getHeader(MimeUtils.HEADER_PROXY_VERSION));
         String thisVersion = getVersion(ProxyMain.readProxyVersion());
 
-        log.info("Received request from {} (security server version: {})", request.getRemoteAddr(), thatVersion);
+        log.info("Received request from {} (security server version: {})", request.getRemoteAddr(), clientVersion);
+
+        if (MIN_SUPPORTED_CLIENT_VERSION != null && MIN_SUPPORTED_CLIENT_VERSION.isGreaterThan(new Semver(clientVersion))) {
+            throw new CodedException(X_CLIENT_PROXY_VERSION_NOT_SUPPORTED,
+                    "The minimum supported version for client security server is: %s ", MIN_SUPPORTED_CLIENT_VERSION.toString());
+        }
 
-        if (!thatVersion.equals(thisVersion)) {
-            log.warn("Peer security server version ({}) does not match host security server version ({})", thatVersion,
-                    thisVersion);
+        if (!clientVersion.equals(thisVersion)) {
+            log.warn("Peer security server version ({}) does not match host security server version ({})", clientVersion, thisVersion);
         }
     }
 
     private static String getVersion(String value) {
         return !StringUtils.isBlank(value) ? value : UNKNOWN_VERSION;
     }
 
-    private static X509Certificate[] getClientSslCertChain(HttpServletRequest request) throws Exception {
+    private static X509Certificate[] getClientSslCertChain(HttpServletRequest request) {
         Object attribute = request.getAttribute("javax.servlet.request.X509Certificate");
 
         if (attribute != null) {

src/proxy/src/test/java/ee/ria/xroad/proxy/serverproxy/ServerProxyHandlerTest.java

@@ -0,0 +1,100 @@
+/*
+ * The MIT License
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.proxy.serverproxy;
+
+import ee.ria.xroad.common.conf.globalconf.GlobalConf;
+import ee.ria.xroad.common.util.MimeUtils;
+
+import org.apache.http.client.HttpClient;
+import org.eclipse.jetty.server.Request;
+import org.junit.Test;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class ServerProxyHandlerTest {
+    private static final String CLIENT_VERSION_6_26_3 = "6.26.3";
+    private static final String CLIENT_VERSION_7_1_3 = "7.1.3";
+    private static final String VERSION_7_1_3 = "7.1.3";
+    private static final String MIN_SUPPORTED_CLIENT_VERSION = "xroad.proxy.server-min-supported-client-version";
+
+    @Test
+    public void shouldNotPassClientProxyVersionCheck() throws Exception {
+        final HttpServletRequest request = getMockedRequest();
+        final Request baseRequest = mock(Request.class);
+        when(request.getHeader(MimeUtils.HEADER_PROXY_VERSION)).thenReturn(CLIENT_VERSION_6_26_3);
+        System.setProperty(MIN_SUPPORTED_CLIENT_VERSION, VERSION_7_1_3);
+        ServerProxyHandler serverProxyHandler = new ServerProxyHandler(mock(HttpClient.class), mock(HttpClient.class));
+
+        try (MockedStatic<GlobalConf> mock = Mockito.mockStatic(GlobalConf.class)) {
+            mock.when(GlobalConf::verifyValidity).then(invocationOnMock -> null);
+
+            serverProxyHandler.handle("target", baseRequest, request, getMockedResponse());
+        }
+
+        verify(baseRequest, times(0)).getHttpChannel();
+    }
+
+    @Test
+    public void shouldPassClientProxyVersionCheck() throws Exception {
+        final HttpServletRequest request = getMockedRequest();
+        final Request baseRequest = mock(Request.class);
+        when(request.getHeader(MimeUtils.HEADER_PROXY_VERSION)).thenReturn(CLIENT_VERSION_7_1_3);
+        System.setProperty(MIN_SUPPORTED_CLIENT_VERSION, VERSION_7_1_3);
+        ServerProxyHandler serverProxyHandler = new ServerProxyHandler(mock(HttpClient.class), mock(HttpClient.class));
+
+        try (MockedStatic<GlobalConf> mock = Mockito.mockStatic(GlobalConf.class)) {
+            mock.when(GlobalConf::verifyValidity).then(invocationOnMock -> null);
+
+            serverProxyHandler.handle("target", baseRequest, request, getMockedResponse());
+        }
+
+        verify(baseRequest, times(1)).getHttpChannel();
+    }
+
+    private HttpServletRequest getMockedRequest() {
+        final HttpServletRequest request = mock(HttpServletRequest.class);
+        when(request.getRemoteAddr()).thenReturn("remoteAddr");
+        when(request.getMethod()).thenReturn("POST");
+        return request;
+    }
+
+    private HttpServletResponse getMockedResponse() throws IOException {
+        final HttpServletResponse response = mock(HttpServletResponse.class);
+        when(response.getOutputStream()).thenReturn(mock(ServletOutputStream.class));
+        return response;
+    }
+}