Safenet Luna Security Provider

The change adds a framework for the Safenet Luna Security Provider.
This  framework is triggered by a service with the name 'luna' in it.
It depends on that service having the HSM host, host-certificate,
client, and client-certificate.  In also expects users to provide a
repository with the Luna Client binaries in it.

[#96530962][#99962452]

Author: nebhale

.idea/dictionaries/bhale.xml

@@ -57,6 +57,7 @@ To learn how to configure various properties of the buildpack, follow the "Confi
 	* [DynaTrace Agent](docs/framework-dyna_trace_agent.md) ([Configuration](docs/framework-dyna_trace_agent.md#configuration))
 	* [Java Options](docs/framework-java_opts.md) ([Configuration](docs/framework-java_opts.md#configuration))
 	* [JRebel Agent](docs/framework-jrebel_agent.md) ([Configuration](docs/framework-jrebel_agent.md#configuration))
+	* [Luna Security Provider](docs/framework-luna_security_provider.md) ([Configuration](docs/framework-luna_security_provider.md#configuration))
 	* [MariaDB JDBC](docs/framework-maria_db_jdbc.md) ([Configuration](docs/framework-maria_db_jdbc.md#configuration))
 	* [New Relic Agent](docs/framework-new_relic_agent.md) ([Configuration](docs/framework-new_relic_agent.md#configuration))
 	* [Play Framework Auto Reconfiguration](docs/framework-play_framework_auto_reconfiguration.md) ([Configuration](docs/framework-play_framework_auto_reconfiguration.md#configuration))

README.md

@@ -37,6 +37,7 @@ frameworks:
 # - "JavaBuildpack::Framework::DynaTraceAgent"
   - "JavaBuildpack::Framework::JavaOpts"
   - "JavaBuildpack::Framework::JrebelAgent"
+#  - "JavaBuildpack::Framework::LunaSecurityProvider"
   - "JavaBuildpack::Framework::MariaDbJDBC"
   - "JavaBuildpack::Framework::NewRelicAgent"
   - "JavaBuildpack::Framework::PlayFrameworkAutoReconfiguration"

config/components.yml

@@ -0,0 +1,19 @@
+# Cloud Foundry Java Buildpack
+# Copyright (c) 2015 the original author or authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Configuration for the Dynatrace framework
+---
+version: 5.3.+
+repository_root: ""

config/luna_security_provider.yml

@@ -0,0 +1,46 @@
+# Luna Security Provider Framework
+The Luna Security Provider Framework causes an application to be automatically configured to work with a bound [Luna Security Service][]. **Note:** This framework is disabled by default.
+
+<table>
+  <tr>
+    <td><strong>Detection Criterion</strong></td>
+    <td>Existence of a single bound Luna Security Provider service. The existence of an Luna Security service defined by the <a href="http://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES"><code>VCAP_SERVICES</code></a> payload containing a service name, label or tag with <code>luna</code> as a substring.
+</td>
+  </tr>
+  <tr>
+    <td><strong>Tags</strong></td>
+    <td><tt>luna-security-provider=&lt;version&gt;</tt></td>
+  </tr>
+</table>
+Tags are printed to standard output by the buildpack detect script
+
+## User-Provided Service
+When binding to the Luna Security Provider using a user-provided service, it must have name or tag with `luna` in it. The credential payload can contain the following entries:
+
+| Name | Description
+| ---- | -----------
+| `host` | The controller host name
+| `host-certificate` | A PEM encoded host certificate
+| `client-private-key` | A PEM encoded client private key
+| `client-certificate` | A PEM encoded client certificate
+
+To provide more complex values such as the PEM certificates, using the interactive mode when creating a user-provided service will manage the character escaping automatically.
+
+## Configuration
+For general information on configuring the buildpack, refer to [Configuration and Extension][].
+
+The framework can be configured by modifying the [`config/luna_security_provider.yml`][] file in the buildpack. The framework uses the [`Repository` utility support][repositories] and so it supports the [version syntax][] defined there.
+
+| Name | Description
+| ---- | -----------
+| `repository_root` | The URL of the Luna Security Provider repository index ([details][repositories]).
+| `version` | Version of the Luna Security Provider to use.
+
+### Additional Resources
+The framework can also be configured by overlaying a set of resources on the default distribution.  To do this, add files to the `resources/luna_security_provider` directory in the buildpack fork.
+
+[`config/luna_security_provider.yml`]: ../config/luna_security_provider.yml
+[Luna Security Service]: http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/
+[Configuration and Extension]: ../README.md#configuration-and-extension
+[repositories]: extending-repositories.md
+[version syntax]: extending-repositories.md#version-syntax-and-ordering

docs/framework-luna_security_provider.md

@@ -271,7 +271,7 @@
     <orderEntry type="library" scope="PROVIDED" name="addressable (v2.3.8, rbenv: 1.9.3-p551) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="ast (v2.0.0, rbenv: 1.9.3-p551) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="astrolabe (v1.3.0, rbenv: 1.9.3-p551) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="bundler (v1.8.2, rbenv: 1.9.3-p551) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="bundler (v1.10.6, rbenv: 1.9.3-p551) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="codeclimate-test-reporter (v0.4.7, rbenv: 1.9.3-p551) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="crack (v0.4.2, rbenv: 1.9.3-p551) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="diff-lcs (v1.2.5, rbenv: 1.9.3-p551) [gem]" level="application" />

java-buildpack.iml

@@ -19,6 +19,7 @@
 require 'java_buildpack/component/additional_libraries'
 require 'java_buildpack/component/application'
 require 'java_buildpack/component/droplet'
+require 'java_buildpack/component/environment_variables'
 require 'java_buildpack/component/immutable_java_home'
 require 'java_buildpack/component/java_opts'
 require 'java_buildpack/component/mutable_java_home'
@@ -104,24 +105,26 @@ def initialize(app_dir, application)
 
       log_environment_variables
 
-      additional_libraries = Component::AdditionalLibraries.new app_dir
-      mutable_java_home    = Component::MutableJavaHome.new
-      immutable_java_home  = Component::ImmutableJavaHome.new mutable_java_home, app_dir
-      java_opts            = Component::JavaOpts.new app_dir
+      mutable_java_home   = Component::MutableJavaHome.new
+      immutable_java_home = Component::ImmutableJavaHome.new mutable_java_home, app_dir
 
-      instantiate_components(additional_libraries, app_dir, application, immutable_java_home, java_opts,
-                             mutable_java_home)
+      component_info = {
+        'additional_libraries' => Component::AdditionalLibraries.new(app_dir),
+        'application'          => application,
+        'env_vars'             => Component::EnvironmentVariables.new(app_dir),
+        'java_opts'            => Component::JavaOpts.new(app_dir),
+        'app_dir'              => app_dir
+      }
+
+      instantiate_components(mutable_java_home, immutable_java_home, component_info)
     end
 
-    def instantiate_components(additional_libraries, app_dir, application, immutable_java_home, java_opts,
-                               mutable_java_home)
-      components  = JavaBuildpack::Util::ConfigurationUtils.load 'components'
-      @jres       = instantiate(components['jres'], additional_libraries, application, mutable_java_home, java_opts,
-                                app_dir)
-      @frameworks = instantiate(components['frameworks'], additional_libraries, application, immutable_java_home,
-                                java_opts, app_dir)
-      @containers = instantiate(components['containers'], additional_libraries, application, immutable_java_home,
-                                java_opts, app_dir)
+    def instantiate_components(mutable_java_home, immutable_java_home, component_info)
+      components = JavaBuildpack::Util::ConfigurationUtils.load 'components'
+
+      @jres       = instantiate(components['jres'], mutable_java_home, component_info)
+      @frameworks = instantiate(components['frameworks'], immutable_java_home, component_info)
+      @containers = instantiate(components['containers'], immutable_java_home, component_info)
     end
 
     def component_detection(type, components, unique)
@@ -146,19 +149,21 @@ def detection(type, components, unique)
       [detected, tags]
     end
 
-    def instantiate(components, additional_libraries, application, java_home, java_opts, root)
+    def instantiate(components, java_home, component_info)
       components.map do |component|
         @logger.debug { "Instantiating #{component}" }
 
         require_component(component)
 
         component_id = component.split('::').last.snake_case
-        context      = {
-          application:   application,
+
+        context = {
+          application:   component_info['application'],
           configuration: Util::ConfigurationUtils.load(component_id),
-          droplet:       Component::Droplet.new(additional_libraries, component_id, java_home, java_opts, root)
+          droplet:       Component::Droplet.new(component_info['additional_libraries'], component_id,
+                                                component_info['env_vars'], java_home,
+                                                component_info['java_opts'], component_info['app_dir'])
         }
-
         component.constantize.new(context)
       end
     end

lib/java_buildpack/buildpack.rb

@@ -38,6 +38,10 @@ class Droplet
       # @return [String] the id of component using this droplet
       attr_reader :component_id
 
+      # @!attribute [r] environment_variables
+      # @return [EnvironmentVariables] the shared +EnvironmentVariables+ instance for all components
+      attr_reader :environment_variables
+
       # @!attribute [r] java_home
       # @return [ImmutableJavaHome, MutableJavaHome] the shared +JavaHome+ instance for all components.  If the
       #                                              component using this instance is a jre, then this will be an
@@ -63,18 +67,21 @@ class Droplet
       # @param [AdditionalLibraries] additional_libraries     the shared +AdditionalLibraries+ instance for all
       #                                                       components
       # @param [String] component_id                          the id of the component that will use this +Droplet+
+      # @param [EnvironmentVariables] env_vars                the shared +EnvironmentVariables+ instance for all
+      #                                                       components
       # @param [ImmutableJavaHome, MutableJavaHome] java_home the shared +JavaHome+ instance for all components.  If the
       #                                                       component using this instance is a jre, then this should
       #                                                       be an instance of +MutableJavaHome+.  Otherwise it should
       #                                                       be an instance of +ImmutableJavaHome+.
       # @param [JavaOpts] java_opts                           the shared +JavaOpts+ instance for all components
       # @param [Pathname] root                                the root of the droplet
-      def initialize(additional_libraries, component_id, java_home, java_opts, root)
-        @additional_libraries = additional_libraries
-        @component_id         = component_id
-        @java_home            = java_home
-        @java_opts            = java_opts
-        @logger               = JavaBuildpack::Logging::LoggerFactory.instance.get_logger Droplet
+      def initialize(additional_libraries, component_id, env_vars, java_home, java_opts, root)
+        @additional_libraries  = additional_libraries
+        @component_id          = component_id
+        @environment_variables = env_vars
+        @java_home             = java_home
+        @java_opts             = java_opts
+        @logger                = JavaBuildpack::Logging::LoggerFactory.instance.get_logger Droplet
 
         buildpack_root = root + '.java-buildpack'
         sandbox_root   = buildpack_root + component_id

lib/java_buildpack/component/droplet.rb

@@ -0,0 +1,62 @@
+# Encoding: utf-8
+# Cloud Foundry Java Buildpack
+# Copyright 2013-2015 the original author or authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'java_buildpack/component'
+require 'java_buildpack/util/qualify_path'
+
+module JavaBuildpack
+  module Component
+
+    # An abstraction encapsulating the Environment Variables of an application.
+    #
+    # A new instance of this type should be created once for the application.
+    class EnvironmentVariables < Array
+      include JavaBuildpack::Util
+
+      # Creates an instance of the Environment Variables abstraction.
+      #
+      # @param [Pathname] droplet_root the root directory of the droplet
+      def initialize(droplet_root)
+        @droplet_root = droplet_root
+      end
+
+      # Adds an environment variable. Prepends +$PWD+ to any variable values that are
+      # paths (relative to the droplet root) to ensure that the path is always accurate.
+      #
+      # @param [String] key the variable name
+      # @param [String] value the variable value
+      # @return [EnvironmentVariables] +self+ for chaining
+      def add_environment_variable(key, value)
+        self << "#{key}=#{qualify_value(value)}"
+      end
+
+      # Returns the contents as an environment variable formatted as +<key>=<value>+
+      #
+      # @return [String] the contents as an environment variable
+      def as_env_vars
+        join(' ')
+      end
+
+      private
+
+      def qualify_value(value)
+        value.respond_to?(:relative_path_from) ? qualify_path(value) : value
+      end
+
+    end
+
+  end
+end

lib/java_buildpack/component/environment_variables.rb

@@ -46,7 +46,7 @@ def add_javaagent(path)
       # ensure that the path is always accurate.
       #
       # @param [Pathname] path the path to the +agentpath+ shared library
-      # @param [Properties] properties to append to the agentpath entry
+      # @param [Properties] props to append to the agentpath entry
       # @return [JavaOpts]     +self+ for chaining
       def add_agentpath_with_props(path, props)
         add_preformatted_options "-agentpath:#{qualify_path path}=" + props.map { |k, v| "#{k}=#{v}" }.join(',')

lib/java_buildpack/component/java_opts.rb

@@ -41,6 +41,7 @@ def compile
       # (see JavaBuildpack::Component::BaseComponent#release)
       def release
         [
+          @droplet.environment_variables.as_env_vars,
           @droplet.java_home.as_env_var,
           @droplet.java_opts.as_env_var,
           qualify_path(start_script(root), @droplet.root)

lib/java_buildpack/container/dist_zip_like.rb

@@ -53,6 +53,7 @@ def release
         add_libs
 
         [
+          @droplet.environment_variables.as_env_vars,
           @droplet.java_home.as_env_var,
           @droplet.java_opts.as_env_var,
           qualify_path(@droplet.sandbox + 'bin/groovy', @droplet.root),

lib/java_buildpack/container/groovy.rb

@@ -42,6 +42,7 @@ def compile
       def release
         @droplet.additional_libraries.insert 0, @application.root
         manifest_class_path.each { |path| @droplet.additional_libraries << path }
+        @droplet.environment_variables.add_environment_variable 'SERVER_PORT', '$PORT' if boot_launcher?
 
         release_text
       end
@@ -56,7 +57,7 @@ def release
 
       def release_text
         [
-          port,
+          @droplet.environment_variables.as_env_vars,
           "#{qualify_path @droplet.java_home.root, @droplet.root}/bin/java",
           @droplet.additional_libraries.as_classpath,
           @droplet.java_opts.join(' '),
@@ -69,6 +70,10 @@ def arguments
         @configuration[ARGUMENTS_PROPERTY]
       end
 
+      def boot_launcher?
+        main_class =~ /^org\.springframework\.boot\.loader\.(?:[JW]ar|Properties)Launcher$/
+      end
+
       def main_class
         JavaBuildpack::Util::JavaMainUtils.main_class(@application, @configuration)
       end
@@ -78,10 +83,6 @@ def manifest_class_path
         values.nil? ? [] : values.split(' ').map { |value| @droplet.root + value }
       end
 
-      def port
-        main_class =~ /^org\.springframework\.boot\.loader\.(?:[JW]ar|Properties)Launcher$/ ? 'SERVER_PORT=$PORT' : nil
-      end
-
     end
 
   end

lib/java_buildpack/container/java_main.rb

@@ -35,7 +35,8 @@ def initialize(context)
 
       # (see JavaBuildpack::Container::DistZipLike#release)
       def release
-        "SERVER_PORT=$PORT #{super}"
+        @droplet.environment_variables.add_environment_variable 'SERVER_PORT', '$PORT'
+        super
       end
 
       protected

lib/java_buildpack/container/spring_boot.rb

@@ -45,10 +45,12 @@ def compile
 
       # (see JavaBuildpack::Component::BaseComponent#release)
       def release
+        @droplet.environment_variables.add_environment_variable 'SERVER_PORT', '$PORT'
+
         [
+          @droplet.environment_variables.as_env_vars,
           @droplet.java_home.as_env_var,
           @droplet.java_opts.as_env_var,
-          'SERVER_PORT=$PORT',
           qualify_path(@droplet.sandbox + 'bin/spring', @droplet.root),
           'run',
           @droplet.additional_libraries.as_classpath,

lib/java_buildpack/container/spring_boot_cli.rb

@@ -38,6 +38,7 @@ def command
         @droplet.java_opts.add_system_property 'http.port', '$PORT'
 
         [
+          @droplet.environment_variables.as_env_vars,
           @droplet.java_home.as_env_var,
           @droplet.java_opts.as_env_var,
           "$PWD/#{(@droplet.sandbox + 'bin/catalina.sh').relative_path_from(@droplet.root)}",