add starttls property to java_certificate resource

Signed-off-by: Joshua Colson <joshua.colson@gmail.com>

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 This file is used to list changes made in each version of the Java cookbook.
 
+## Unreleased
+
+- Add `starttls` property to `java_certificate` resource to allow fetching certificates from non HTTPS endpoints
+
 ## 8.3.2 (2020-08-20)
 
 - Add aarch64 installation candidate for Corretto

documentation/resources/certificate.md

@@ -22,6 +22,7 @@ It can also populate the keystore with a certificate retrieved from a given SSL
 | `cert_data`       | String |                             | The certificate data to install                                                         |
 | `cert_file`       | String |                             | Path to a certificate file to install                                                   |
 | `ssl_endpoint`    | String |                             | An SSL end-point from which to download the certificate                                 |
+| `starttls`        | String | ''                          | Control the TLS protocol handler when fetching a remote certificate from `ssl_endpoint` |
 
 ## Examples
 

kitchen.macos.yml

@@ -23,7 +23,10 @@ suites:
   - name: adoptopenjdk-14
     run_list:
       - recipe[homebrew]
-      - recipe[test::adoptopenjdk-14-openj9]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 14
+      variant: openj9
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-14-macos.yml]

kitchen.yml

@@ -99,19 +99,28 @@ suites:
   # Version 8
   - name: adoptopenjdk-8-hotspot
     run_list:
-      - recipe[test::adoptopenjdk-8-hotspot]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 8
+      variant: hotspot
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-8-hotspot.yml]
   - name: adoptopenjdk-8-openj9
     run_list:
       - recipe[test::adoptopenjdk-8-openj9]
+    attributes:
+      version: 8
+      variant: openj9
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-8-openj9.yml]
   - name: adoptopenjdk-8-openj9-large-heap
     run_list:
-      - recipe[test::adoptopenjdk-8-openj9-large-heap]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 8
+      variant: openj9-large-heap
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-8-openj9-large-heap.yml]
@@ -120,39 +129,57 @@ suites:
   - name: adoptopenjdk-11-hotspot
     run_list:
       - recipe[test::adoptopenjdk-11-hotspot]
+    attributes:
+      version: 11
+      variant: hotspot
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-11-hotspot.yml]
   - name: adoptopenjdk-11-openj9
     run_list:
       - recipe[test::adoptopenjdk-11-openj9]
+    attributes:
+      version: 11
+      variant: openj9
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-11-openj9.yml]
   - name: adoptopenjdk-11-openj9-large-heap
     run_list:
       - recipe[test::adoptopenjdk-11-openj9-large-heap]
+    attributes:
+      version: 11
+      variant: openj9-large-heap
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-11-openj9-large-heap.yml]
 
   # Version 14
   - name: adoptopenjdk-14-openj9-large-heap
     run_list:
-      - recipe[test::adoptopenjdk-14-openj9-large-heap]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 14
+      variant: openj9-large-heap
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-14-openj9-large-heap.yml]
   - name: adoptopenjdk-14-openj9
     run_list:
-      - recipe[test::adoptopenjdk-14-openj9]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 14
+      variant: openj9
     verifier:
       inspec_tests:
         - test/integration/adoptopenjdk
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-14-openj9.yml]
   - name: adoptopenjdk-14-hotspot
     run_list:
-      - recipe[test::adoptopenjdk-14-hotspot]
+      - recipe[test::adoptopenjdk]
+    attributes:
+      version: 14
+      variant: hotspot
     verifier:
       inspec_tests: [test/integration/adoptopenjdk]
       input_files: [test/integration/adoptopenjdk/attributes/adoptopenjdk-14-hotspot.yml]

resources/certificate.rb

@@ -27,7 +27,7 @@
 
 property :java_version, String,
   default: lazy { node['java']['jdk_version'] },
-  description: ' The java version'
+  description: 'The java version'
 
 property :keystore_path, String,
   description: 'Path to the keystore'
@@ -45,6 +45,11 @@
 property :ssl_endpoint, String,
   description: 'An SSL end-point from which to download the certificate'
 
+property :starttls, String,
+  default: '',
+  equal_to: ['', 'smtp', 'pop3', 'imap', 'ftp', 'xmpp', 'xmpp-server', 'irc', 'postgres', 'mysql', 'lmtp', 'nntp', 'sieve', 'ldap'],
+  description: 'A protocol specific STARTTLS argument to use when fetching from an ssl_endpoint'
+
 action :install do
   require 'openssl'
 
@@ -140,8 +145,9 @@ def fetch_certdata
     return IO.read(new_resource.cert_file) unless new_resource.cert_file.nil?
 
     certendpoint = new_resource.ssl_endpoint
+    starttls = new_resource.starttls.empty? ? '' : "-starttls #{new_resource.starttls}"
     unless certendpoint.nil?
-      cmd = Mixlib::ShellOut.new("echo QUIT | openssl s_client -showcerts -servername #{certendpoint.split(':').first} -connect #{certendpoint} 2> /dev/null | openssl x509")
+      cmd = Mixlib::ShellOut.new("echo QUIT | openssl s_client -showcerts -servername #{certendpoint.split(':').first} -connect #{certendpoint} #{starttls} 2> /dev/null | openssl x509")
       cmd.run_command
       Chef::Log.debug(cmd.format_for_exception)
 

test/fixtures/cookbooks/test/recipes/adoptopenjdk.rb

@@ -0,0 +1,14 @@
+apt_update
+
+version = node['version']
+variant = node['variant']
+
+adoptopenjdk_install version do
+  variant variant
+end
+
+cookbook_file '/tmp/UnlimitedSupportJCETest.jar' do
+  source 'UnlimitedSupportJCETest.jar'
+end
+
+include_recipe 'test::java_cert'

test/fixtures/cookbooks/test/recipes/corretto.rb

@@ -1 +1,3 @@
 corretto_install node['version']
+
+include_recipe 'test::java_cert'

test/fixtures/cookbooks/test/recipes/java_cert.rb

@@ -1,15 +1,31 @@
+version = node['version'].to_s
+
 cookbook_file '/tmp/java_certificate_test.pem' do
   source 'java_certificate_test.pem'
 end
 
 java_certificate 'java_certificate_test' do
   cert_file '/tmp/java_certificate_test.pem'
+  java_version version
 end
 
 java_certificate 'java_certificate_ssl_endpoint' do
   ssl_endpoint 'google.com:443'
+  java_version version
 end
 
 java_certificate 'java_certificate_ssl_endpoint' do
+  java_version version
+  action :remove
+end
+
+java_certificate 'java_certificate_ssl_endpoint_starttls_smtp' do
+  ssl_endpoint 'smtp.gmail.com:587'
+  starttls 'smtp'
+  java_version version
+end
+
+java_certificate 'java_certificate_ssl_endpoint_starttls_smtp' do
+  java_version version
   action :remove
 end

test/fixtures/cookbooks/test/recipes/openjdk.rb

@@ -1 +1,3 @@
 openjdk_install node['version']
+
+include_recipe 'test::java_cert'

test/fixtures/cookbooks/test/recipes/openjdk_pkg.rb

@@ -1 +1,3 @@
 openjdk_pkg_install node['version']
+
+include_recipe 'test::java_cert'