brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rich...@apache.org
Subject [3/7] git commit: add support for keystore set from brooklyn.properties
Date Wed, 11 Jun 2014 22:25:22 GMT
add support for keystore set from brooklyn.properties


Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/94ede086
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/94ede086
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/94ede086

Branch: refs/heads/master
Commit: 94ede0862e5f18ed997787f249f7c00bc5184185
Parents: 0ce9b0c
Author: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Authored: Tue Jun 10 21:44:53 2014 -0700
Committer: Alex Heneveld <alex.heneveld@cloudsoftcorp.com>
Committed: Tue Jun 10 22:19:53 2014 -0700

----------------------------------------------------------------------
 usage/launcher/pom.xml                          |  8 +++++
 .../brooklyn/launcher/BrooklynWebServer.java    | 33 +++++++++++++++---
 .../launcher/BrooklynWebServerTest.java         | 35 ++++++++++++++++++--
 .../java/brooklyn/rest/BrooklynWebConfig.java   | 19 ++++++-----
 .../provider/ExplicitUsersSecurityProvider.java | 21 ------------
 5 files changed, 78 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/94ede086/usage/launcher/pom.xml
----------------------------------------------------------------------
diff --git a/usage/launcher/pom.xml b/usage/launcher/pom.xml
index 9fbe572..d5c21ce 100644
--- a/usage/launcher/pom.xml
+++ b/usage/launcher/pom.xml
@@ -75,6 +75,14 @@
             <version>${project.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.brooklyn</groupId>
+            <artifactId>brooklyn-core</artifactId>
+            <version>${project.version}</version>
+            <classifier>tests</classifier>
+            <scope>test</scope>
+        </dependency>
+        
     	<dependency>
             <groupId>io.brooklyn</groupId>
             <artifactId>brooklyn-software-nosql</artifactId>

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/94ede086/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java
----------------------------------------------------------------------
diff --git a/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java b/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java
index 28c588b..dd611e4 100644
--- a/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java
+++ b/usage/launcher/src/main/java/brooklyn/launcher/BrooklynWebServer.java
@@ -78,7 +78,7 @@ public class BrooklynWebServer {
                 BROOKLYN_WAR_URL, "/usage/launcher/target", 
                 "/usage/jsgui/target/brooklyn-jsgui-"+BrooklynVersion.get()+".war"));
     }
-
+    
     static {
         LoggingSetup.installJavaUtilLoggingBridge();
     }
@@ -126,12 +126,18 @@ public class BrooklynWebServer {
     private Boolean httpsEnabled;
 
     @SetFromFlag
+    private String sslCertificate;
+
+    @SetFromFlag
     private String keystorePath;
 
     @SetFromFlag
     private String keystorePassword;
 
     @SetFromFlag
+    private String keystoreCertAlias;
+
+    @SetFromFlag
     private String truststorePath;
 
     @SetFromFlag
@@ -326,23 +332,40 @@ public class BrooklynWebServer {
             }
 
             SslContextFactory sslContextFactory = new SslContextFactory();
+
+            if (keystorePath==null) keystorePath = managementContext.getConfig().getConfig(BrooklynWebConfig.KEYSTORE_URL);
+            if (keystorePassword==null) keystorePassword = managementContext.getConfig().getConfig(BrooklynWebConfig.KEYSTORE_PASSWORD);
+            if (keystoreCertAlias==null) keystoreCertAlias = managementContext.getConfig().getConfig(BrooklynWebConfig.KEYSTORE_CERTIFICATE_ALIAS);
+            
             if (keystorePath!=null) {
                 sslContextFactory.setKeyStorePath(checkFileExists(keystorePath, "keystore"));
+                if (Strings.isEmpty(keystorePassword))
+                    throw new IllegalArgumentException("Keystore password is required and
non-empty if keystore is specified.");
                 sslContextFactory.setKeyStorePassword(keystorePassword);
+                if (Strings.isNonEmpty(keystoreCertAlias))
+                    sslContextFactory.setCertAlias(keystoreCertAlias);
             } else {
                 // TODO allow webconsole keystore & related properties to be set in brooklyn.properties

                 log.info("No keystore specified but https enabled; creating a default keystore");
+                
+                if (Strings.isEmpty(keystoreCertAlias))
+                    keystoreCertAlias = "web-console";
+                
                 // if password is blank the process will block and read from stdin !
-                if (Strings.isEmpty(keystorePassword))
-                    keystorePassword = "password";
+                if (Strings.isEmpty(keystorePassword)) {
+                    keystorePassword = Identifiers.makeRandomId(8);
+                    log.debug("created random password "+keystorePassword+" for ad hoc internal
keystore");
+                }
                 
                 KeyStore ks = SecureKeys.newKeyStore();
                 KeyPair key = SecureKeys.newKeyPair();
                 X509Certificate cert = new FluentKeySigner("brooklyn").newCertificateFor("web-console",
key);
-                ks.setKeyEntry("web-console", key.getPrivate(), keystorePassword.toCharArray(),
-                        new Certificate[] { cert });                
+                ks.setKeyEntry(keystoreCertAlias, key.getPrivate(), keystorePassword.toCharArray(),
+                    new Certificate[] { cert });
+                
                 sslContextFactory.setKeyStore(ks);
                 sslContextFactory.setKeyStorePassword(keystorePassword);
+                sslContextFactory.setCertAlias(keystoreCertAlias);
             }
             if (!Strings.isEmpty(truststorePath)) {
                 sslContextFactory.setTrustStore(checkFileExists(truststorePath, "truststore"));

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/94ede086/usage/launcher/src/test/java/brooklyn/launcher/BrooklynWebServerTest.java
----------------------------------------------------------------------
diff --git a/usage/launcher/src/test/java/brooklyn/launcher/BrooklynWebServerTest.java b/usage/launcher/src/test/java/brooklyn/launcher/BrooklynWebServerTest.java
index 5f28089..5a14170 100644
--- a/usage/launcher/src/test/java/brooklyn/launcher/BrooklynWebServerTest.java
+++ b/usage/launcher/src/test/java/brooklyn/launcher/BrooklynWebServerTest.java
@@ -14,6 +14,7 @@ import org.apache.http.conn.ssl.SSLSocketFactory;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.testng.Assert;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
@@ -21,6 +22,9 @@ import org.testng.annotations.Test;
 import brooklyn.config.BrooklynProperties;
 import brooklyn.entity.basic.Entities;
 import brooklyn.management.internal.LocalManagementContext;
+import brooklyn.rest.BrooklynWebConfig;
+import brooklyn.test.entity.LocalManagementContextForTests;
+import brooklyn.util.collections.MutableMap;
 import brooklyn.util.http.HttpTool;
 import brooklyn.util.http.HttpToolResponse;
 
@@ -50,7 +54,7 @@ public class BrooklynWebServerTest {
     }
     
     private LocalManagementContext newManagementContext(BrooklynProperties brooklynProperties)
{
-        LocalManagementContext result = new LocalManagementContext(brooklynProperties);
+        LocalManagementContext result = new LocalManagementContextForTests(brooklynProperties);
         managementContexts.add(result);
         return result;
     }
@@ -74,8 +78,6 @@ public class BrooklynWebServerTest {
                 .put("httpsEnabled", true)
                 .put("keystorePath", getFile("server.ks"))
                 .put("keystorePassword", "password")
-                .put("truststorePath", getFile("server.ts"))
-                .put("trustStorePassword", "password")
                 .build();
         webServer = new BrooklynWebServer(flags, newManagementContext(brooklynProperties));
         webServer.start();
@@ -98,6 +100,32 @@ public class BrooklynWebServerTest {
         }
     }
 
+    @Test
+    public void verifyHttpsFromConfig() throws Exception {
+        brooklynProperties.put(BrooklynWebConfig.HTTPS_REQUIRED, true);
+        brooklynProperties.put(BrooklynWebConfig.KEYSTORE_URL, getFile("server.ks"));
+        brooklynProperties.put(BrooklynWebConfig.KEYSTORE_PASSWORD, "password");
+        webServer = new BrooklynWebServer(MutableMap.of(), newManagementContext(brooklynProperties));
+        webServer.start();
+        
+        try {
+            KeyStore keyStore = load("client.ks", "password");
+            KeyStore trustStore = load("client.ts", "password");
+            SSLSocketFactory socketFactory = new SSLSocketFactory(SSLSocketFactory.TLS, keyStore,
"password", trustStore, (SecureRandom)null, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+
+            HttpToolResponse response = HttpTool.execAndConsume(
+                    HttpTool.httpClientBuilder()
+                            .port(webServer.getActualPort())
+                            .https(true)
+                            .socketFactory(socketFactory)
+                            .build(),
+                    new HttpGet(webServer.getRootUrl()));
+            assertEquals(response.getResponseCode(), 200);
+        } finally {
+            webServer.stop();
+        }
+    }
+
     private KeyStore load(String name, String password) throws Exception {
         KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
         FileInputStream instream = new FileInputStream(new File(getFile(name)));
@@ -106,6 +134,7 @@ public class BrooklynWebServerTest {
     }
 
     private String getFile(String file) {
+        // this works because both IDE and Maven run tests with classes/resources on the
file system
         return new File(getClass().getResource("/" + file).getFile()).getAbsolutePath();
     }
 }

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/94ede086/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java b/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
index 5fd1104..f8bd90a 100644
--- a/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
+++ b/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
@@ -31,15 +31,6 @@ public class BrooklynWebConfig {
         return new BasicConfigKey<String>(String.class, BASE_NAME_SECURITY+".user."+user+".password");
     }
     
-    /** @deprecated since 0.6.0; use #USERS */
-    public final static ConfigKey<String> SECURITY_PROVIDER_EXPLICIT__USERS = new BasicConfigKey<String>(String.class,
-            BASE_NAME_SECURITY+".explicit.users");
-    
-    /** @deprecated since 0.6.0; use #PASSWORD_FOR_USER */
-    public final static ConfigKey<String> SECURITY_PROVIDER_EXPLICIT__PASSWORD(String
user) {
-        return new BasicConfigKey<String>(String.class, BASE_NAME+".security.explicit.user."+user);
-    }
-
     public final static ConfigKey<String> LDAP_URL = new BasicConfigKey<String>(String.class,
             BASE_NAME_SECURITY+".ldap.url");
 
@@ -49,6 +40,16 @@ public class BrooklynWebConfig {
     public final static ConfigKey<Boolean> HTTPS_REQUIRED = ConfigKeys.newBooleanConfigKey(BASE_NAME+".security.https.required",
             "Whether HTTPS is required", false); 
 
+    public final static ConfigKey<String> KEYSTORE_URL = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.url",
+        "Keystore from which to take the certificate to present when running HTTPS; "
+        + "note that normally the password is also required, and an alias for the certificate
if the keystore has more than one"); 
+
+    public final static ConfigKey<String> KEYSTORE_PASSWORD = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.password",
+        "Password for the "+KEYSTORE_URL); 
+
+    public final static ConfigKey<String> KEYSTORE_CERTIFICATE_ALIAS = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.certificate.alias",
+        "Alias in "+KEYSTORE_URL+" for the certificate to use; defaults to the first if not
supplied"); 
+
     public final static boolean hasNoSecurityOptions(ConfigMap config) {
         return config.submap(ConfigPredicates.startingWith(BrooklynWebConfig.BASE_NAME_SECURITY)).isEmpty();
     }

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/94ede086/usage/rest-server/src/main/java/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
index 77ee2c9..dfa70f8 100644
--- a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
+++ b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
@@ -1,7 +1,5 @@
 package brooklyn.rest.security.provider;
 
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.Set;
 import java.util.StringTokenizer;
@@ -24,8 +22,6 @@ public class ExplicitUsersSecurityProvider implements SecurityProvider {
     
     public static final String AUTHENTICATION_KEY = ExplicitUsersSecurityProvider.class.getCanonicalName()+"."+"AUTHENTICATED";
 
-    private static final Set<String> DEPRECATED_WARNING_EXPLICIT_USERS = Collections.synchronizedSet(new
HashSet<String>());
-    
     protected final ManagementContext mgmt;
     
     public ExplicitUsersSecurityProvider(ManagementContext mgmt) {
@@ -43,7 +39,6 @@ public class ExplicitUsersSecurityProvider implements SecurityProvider {
     
     private Set<String> allowedUsers = null;
     
-    @SuppressWarnings("deprecation")
     private synchronized void initialize() {
         if (allowedUsers!=null) return;
 
@@ -52,12 +47,6 @@ public class ExplicitUsersSecurityProvider implements SecurityProvider
{
         allowedUsers = new LinkedHashSet<String>();
         String users = properties.getConfig(BrooklynWebConfig.USERS);
         if (users==null) {
-            users = properties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__USERS);
-            if (users!=null) 
-                LOG.warn("Using deprecated config key "+BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__USERS.getName()+";
" +
-            		"use "+BrooklynWebConfig.USERS.getName()+" instead");
-        }
-        if (users==null) {
             LOG.warn("Web console has no users configured; no one will be able to log in!");
         } else if ("*".equals(users)) {
             LOG.info("Web console allowing any user (so long as valid password is set)");
@@ -71,7 +60,6 @@ public class ExplicitUsersSecurityProvider implements SecurityProvider {
         }       
     }
     
-    @SuppressWarnings("deprecation")
     @Override
     public boolean authenticate(HttpSession session, String user, String password) {
         if (session==null || user==null) return false;
@@ -88,15 +76,6 @@ public class ExplicitUsersSecurityProvider implements SecurityProvider
{
         BrooklynProperties properties = (BrooklynProperties) mgmt.getConfig();
         String actualP = properties.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(user));
         if (actualP==null) {
-            actualP = properties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__PASSWORD(user));
-            if (actualP!=null) {
-                if (DEPRECATED_WARNING_EXPLICIT_USERS.add(user)) {
-                    LOG.warn("Web console user password set using deprecated property "+BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__PASSWORD(user).getName()+";
" +
-                		"configure using "+BrooklynWebConfig.PASSWORD_FOR_USER(user).getName()+"
instead");
-                }
-            }
-        }
-        if (actualP==null) {
             LOG.warn("Web console rejecting passwordless user "+user);
             return false;
         } else if (!actualP.equals(password)){


Mime
View raw message