fix: Fix support of different type of keyrings in proper format (just two slashes) (#2687)

Author: pj892031

api-catalog-package/src/main/resources/bin/start.sh

@@ -123,21 +123,8 @@ key_pass="${ZWE_configs_certificate_key_password:-${ZWE_zowe_certificate_key_pas
 truststore_type="${ZWE_configs_certificate_truststore_type:-${ZWE_zowe_certificate_truststore_type:-PKCS12}}"
 truststore_pass="${ZWE_configs_certificate_truststore_password:-${ZWE_zowe_certificate_truststore_password}}"
 
-
-# Workaround for Java desiring safkeyring://// instead of just ://
-# We can handle both cases of user input by just adding extra "//" if we detect its missing.
-ensure_keyring_slashes() {
-  keyring_string="${1}"
-  only_two_slashes=$(echo "${keyring_string}" | grep "^safkeyring://[^//]")
-  if [ -n "${only_two_slashes}" ]; then
-    keyring_string=$(echo "${keyring_string}" | sed "s#safkeyring://#safkeyring:////#")
-  fi
-  # else, unmodified, perhaps its even p12
-  echo $keyring_string
-}
-
-keystore_location=$(ensure_keyring_slashes "${ZWE_configs_certificate_keystore_file:-${ZWE_zowe_certificate_keystore_file}}")
-truststore_location=$(ensure_keyring_slashes "${ZWE_configs_certificate_truststore_file:-${ZWE_zowe_certificate_truststore_file}}")
+keystore_location="${ZWE_configs_certificate_keystore_file:-${ZWE_zowe_certificate_keystore_file}}"
+truststore_location="${ZWE_configs_certificate_truststore_file:-${ZWE_zowe_certificate_truststore_file}}"
 
 # NOTE: these are moved from below
 #    -Dapiml.service.ipAddress=${ZOWE_IP_ADDRESS:-127.0.0.1} \

api-catalog-services/src/main/java/org/zowe/apiml/apicatalog/config/TomcatConfiguration.java

@@ -10,21 +10,25 @@
 
 package org.zowe.apiml.apicatalog.config;
 
+import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
 import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
 import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import java.util.List;
+
 /**
  * Configuration of Tomcat for the API Gateway.
  */
 @Configuration
 public class TomcatConfiguration {
 
     @Bean
-    public ServletWebServerFactory servletContainer() {
+    public ServletWebServerFactory servletContainer(List<TomcatConnectorCustomizer> connectorCustomizers) {
         TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
         tomcat.setProtocol(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
+        tomcat.addConnectorCustomizers(connectorCustomizers.toArray(new TomcatConnectorCustomizer[0]));
         return tomcat;
     }
 }

apiml-common/src/main/java/org/zowe/apiml/product/web/HttpConfig.java

@@ -45,6 +45,9 @@
 @Slf4j
 @Configuration
 public class HttpConfig {
+
+    private static final char[] KEYRING_PASSWORD = "password".toCharArray();
+
     @Value("${server.ssl.protocol:TLSv1.2}")
     private String protocol;
 
@@ -124,9 +127,21 @@ public class HttpConfig {
     @Resource
     private AbstractDiscoveryClientOptionalArgs<?> optionalArgs;
 
+    void updateStorePaths() {
+        if (SecurityUtils.isKeyring(keyStore)) {
+            keyStore = SecurityUtils.formatKeyringUrl(keyStore);
+            if (keyStorePassword == null) keyStorePassword = KEYRING_PASSWORD;
+        }
+        if (SecurityUtils.isKeyring(trustStore)) {
+            trustStore = SecurityUtils.formatKeyringUrl(trustStore);
+            if (trustStorePassword == null) trustStorePassword = KEYRING_PASSWORD;
+        }
+    }
 
     @PostConstruct
     public void init() {
+        updateStorePaths();
+
         try {
             Supplier<HttpsConfig.HttpsConfigBuilder> httpsConfigSupplier = () ->
                 HttpsConfig.builder()
@@ -197,7 +212,7 @@ public Set<String> publicKeyCertificatesBase64() {
 
     private void setTruststore(SslContextFactory sslContextFactory) {
         if (StringUtils.isNotEmpty(trustStore)) {
-            sslContextFactory.setTrustStorePath(SecurityUtils.replaceFourSlashes(trustStore));
+            sslContextFactory.setTrustStorePath(SecurityUtils.formatKeyringUrl(trustStore));
             sslContextFactory.setTrustStoreType(trustStoreType);
             sslContextFactory.setTrustStorePassword(trustStorePassword == null ? null : String.valueOf(trustStorePassword));
         }

apiml-common/src/test/java/org/zowe/apiml/product/web/HttpConfigTest.java

@@ -0,0 +1,54 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.product.web;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class HttpConfigTest {
+
+    @Nested
+    class KeyringFormatAndPasswordUpdate {
+
+        @Test
+        void whenKeyringHasWrongFormatAndMissingPasswords_thenFixIt() {
+            HttpConfig httpConfig = new HttpConfig();
+            ReflectionTestUtils.setField(httpConfig, "keyStore", "safkeyring:///userId/ringId1");
+            ReflectionTestUtils.setField(httpConfig, "trustStore", "safkeyring:////userId/ringId2");
+
+            httpConfig.updateStorePaths();
+
+            assertEquals("safkeyring://userId/ringId1", ReflectionTestUtils.getField(httpConfig, "keyStore"));
+            assertEquals("safkeyring://userId/ringId2", ReflectionTestUtils.getField(httpConfig, "trustStore"));
+            assertArrayEquals("password".toCharArray(), (char[]) ReflectionTestUtils.getField(httpConfig, "keyStorePassword"));
+            assertArrayEquals("password".toCharArray(), (char[]) ReflectionTestUtils.getField(httpConfig, "trustStorePassword"));
+        }
+
+        @Test
+        void whenKeystore_thenDoNothing() {
+            HttpConfig httpConfig = new HttpConfig();
+            ReflectionTestUtils.setField(httpConfig, "keyStore", "/path1");
+            ReflectionTestUtils.setField(httpConfig, "trustStore", "/path2");
+
+            httpConfig.updateStorePaths();
+
+            assertEquals("/path1", ReflectionTestUtils.getField(httpConfig, "keyStore"));
+            assertEquals("/path2", ReflectionTestUtils.getField(httpConfig, "trustStore"));
+            assertNull(ReflectionTestUtils.getField(httpConfig, "keyStorePassword"));
+            assertNull(ReflectionTestUtils.getField(httpConfig, "trustStorePassword"));
+        }
+
+    }
+
+}

apiml-tomcat-common/src/main/java/org/zowe/apiml/product/web/TomcatKeyringFix.java

@@ -0,0 +1,95 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.product.web;
+
+import org.apache.catalina.connector.Connector;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
+import org.springframework.stereotype.Component;
+
+import java.lang.reflect.Field;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Component
+public class TomcatKeyringFix implements TomcatConnectorCustomizer {
+
+    private static final Pattern KEYRING_PATTERN = Pattern.compile("^(safkeyring[^:]*):/{2,4}([^/]+)/(.+)$");
+    private static final String KEYRING_PASSWORD = "password";
+
+    @Value("${server.ssl.keyStore:#{null}}")
+    protected String keyStore;
+
+    @Value("${server.ssl.keyStorePassword:#{null}}")
+    protected char[] keyStorePassword;
+
+    @Value("${server.ssl.keyPassword:#{null}}")
+    protected char[] keyPassword;
+
+    @Value("${server.ssl.trustStore:#{null}}")
+    protected String trustStore;
+
+    @Value("${server.ssl.trustStorePassword:#{null}}")
+    protected char[] trustStorePassword;
+
+    void fixDefaultCertificate(SSLHostConfig sslHostConfig) {
+        Set<SSLHostConfigCertificate> originalSet = sslHostConfig.getCertificates();
+        if (originalSet.isEmpty()) return;
+
+        try {
+            Field defaultCertificateField = sslHostConfig.getClass().getDeclaredField("defaultCertificate");
+            defaultCertificateField.setAccessible(true); // NOSONAR
+            if (defaultCertificateField.get(sslHostConfig) == null) {
+                defaultCertificateField.set(sslHostConfig, originalSet.iterator().next()); // NOSONAR
+            }
+        } catch (NoSuchFieldException | IllegalAccessException e) {
+            throw new IllegalStateException("Cannot update Tomcat SSL context", e);
+        }
+    }
+
+    boolean isKeyring(String input) {
+        if (input == null) return false;
+        Matcher matcher = KEYRING_PATTERN.matcher(input);
+        return matcher.matches();
+    }
+
+    static String formatKeyringUrl(String keyringUrl) {
+        if (keyringUrl == null) return null;
+        Matcher matcher = KEYRING_PATTERN.matcher(keyringUrl);
+        if (matcher.matches()) {
+            keyringUrl = matcher.group(1) + "://" + matcher.group(2) + "/" + matcher.group(3);
+        }
+        return keyringUrl;
+    }
+
+    @Override
+    public void customize(Connector connector) {
+        Arrays.stream(connector.findSslHostConfigs()).forEach(sslConfig -> {
+            fixDefaultCertificate(sslConfig);
+
+            if (isKeyring(keyStore)) {
+                sslConfig.setCertificateKeystoreFile(formatKeyringUrl(keyStore));
+                if (keyStorePassword == null) sslConfig.setCertificateKeystorePassword(KEYRING_PASSWORD);
+                if (keyPassword == null) sslConfig.setCertificateKeyPassword(KEYRING_PASSWORD);
+            }
+
+            if (isKeyring(trustStore)) {
+                sslConfig.setTruststoreFile(formatKeyringUrl(trustStore));
+                if (trustStorePassword == null) sslConfig.setTruststorePassword(KEYRING_PASSWORD);
+            }
+        });
+    }
+
+}

apiml-tomcat-common/src/test/java/org/zowe/apiml/product/web/TomcatKeyringFixTest.java

@@ -0,0 +1,102 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.product.web;
+
+import org.apache.catalina.connector.Connector;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.mockito.Mockito.*;
+
+class TomcatKeyringFixTest {
+
+    private static final String PASSWORD = "password";
+
+    private SSLHostConfig sslHostConfig = mock(SSLHostConfig.class);
+
+    @BeforeEach
+    void setUp() {
+    }
+
+    private Connector getConnector() {
+        Connector connector = mock(Connector.class);
+        doReturn(new SSLHostConfig[] {sslHostConfig}).when(connector).findSslHostConfigs();
+        return connector;
+    }
+
+    private Connector customize(
+        String keyStore, char[] keyStorePassword, char[] keyPassword,
+        String trustStore, char[] trustStorePassword
+    ) {
+        TomcatKeyringFix customizer = new TomcatKeyringFix();
+        ReflectionTestUtils.setField(customizer, "keyStore", keyStore);
+        ReflectionTestUtils.setField(customizer, "keyStorePassword", keyStorePassword);
+        ReflectionTestUtils.setField(customizer, "keyPassword", keyPassword);
+        ReflectionTestUtils.setField(customizer, "trustStore", trustStore);
+        ReflectionTestUtils.setField(customizer, "trustStorePassword", trustStorePassword);
+
+        Connector connector = getConnector();
+        customizer.customize(connector);
+        return connector;
+    }
+
+    @Nested
+    class UsingKeyring {
+
+        @Test
+        void whenInvalidFormatAndMissingPassword_thenFixIt() {
+            customize("safkeyring:///userId/ringIdKs", null, null, "safkeyringpce:////userId/ringIdTs", null);
+            verify(sslHostConfig).setCertificateKeystoreFile("safkeyring://userId/ringIdKs");
+            verify(sslHostConfig).setCertificateKeystorePassword(PASSWORD);
+            verify(sslHostConfig).setCertificateKeyPassword(PASSWORD);
+            verify(sslHostConfig).setTruststoreFile("safkeyringpce://userId/ringIdTs");
+            verify(sslHostConfig).setTruststorePassword(PASSWORD);
+        }
+
+    }
+
+    @Nested
+    class UsingKeystore {
+
+        @Test
+        void dontUpdate() {
+            customize("/somePath", null, null, "/anotherPath", null);
+            verify(sslHostConfig, never()).setCertificateKeystoreFile(any());
+            verify(sslHostConfig, never()).setCertificateKeystorePassword(any());
+            verify(sslHostConfig, never()).setCertificateKeyPassword(any());
+            verify(sslHostConfig, never()).setTruststoreFile(any());
+            verify(sslHostConfig, never()).setTruststorePassword(any());
+        }
+
+    }
+
+    @Nested
+    class InvalidDefaultCertStructure {
+
+        @Test
+        void whenSSLHostConfigContainsACertificate() {
+            SSLHostConfigCertificate cert = mock(SSLHostConfigCertificate.class);
+            sslHostConfig = new SSLHostConfig();
+            sslHostConfig.getCertificates().add(cert);
+            assertNull(ReflectionTestUtils.getField(sslHostConfig, "defaultCertificate"));
+            customize("safkeyring:///userId/ringIdKs", null, null, "safkeyringpce:////userId/ringIdTs", null);
+            assertSame(cert, ReflectionTestUtils.getField(sslHostConfig, "defaultCertificate"));
+        }
+
+    }
+
+}

caching-service-package/src/main/resources/bin/start.sh

@@ -117,21 +117,8 @@ key_pass="${ZWE_configs_certificate_key_password:-${ZWE_zowe_certificate_key_pas
 truststore_type="${ZWE_configs_certificate_truststore_type:-${ZWE_zowe_certificate_truststore_type:-PKCS12}}"
 truststore_pass="${ZWE_configs_certificate_truststore_password:-${ZWE_zowe_certificate_truststore_password}}"
 
-
-# Workaround for Java desiring safkeyring://// instead of just ://
-# We can handle both cases of user input by just adding extra "//" if we detect its missing.
-ensure_keyring_slashes() {
-  keyring_string="${1}"
-  only_two_slashes=$(echo "${keyring_string}" | grep "^safkeyring://[^//]")
-  if [ -n "${only_two_slashes}" ]; then
-    keyring_string=$(echo "${keyring_string}" | sed "s#safkeyring://#safkeyring:////#")
-  fi
-  # else, unmodified, perhaps its even p12
-  echo $keyring_string
-}
-
-keystore_location=$(ensure_keyring_slashes "${ZWE_configs_certificate_keystore_file:-${ZWE_zowe_certificate_keystore_file}}")
-truststore_location=$(ensure_keyring_slashes "${ZWE_configs_certificate_truststore_file:-${ZWE_zowe_certificate_truststore_file}}")
+keystore_location="${ZWE_configs_certificate_keystore_file:-${ZWE_zowe_certificate_keystore_file}}"
+truststore_location="${ZWE_configs_certificate_truststore_file:-${ZWE_zowe_certificate_truststore_file}}"
 
 # NOTE: these are moved from below
 #   -Dapiml.service.ipAddress=${ZOWE_IP_ADDRESS:-127.0.0.1} \

caching-service/src/main/java/org/zowe/apiml/caching/config/GeneralConfig.java

@@ -18,9 +18,13 @@
 import org.springframework.boot.web.server.WebServerFactoryCustomizer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.zowe.apiml.product.web.ApimlTomcatCustomizer;
+import org.zowe.apiml.product.web.TomcatAcceptFixConfig;
+import org.zowe.apiml.product.web.TomcatKeyringFix;
 
 @Configuration
+@Import({ TomcatKeyringFix.class, TomcatAcceptFixConfig.class })
 @Data
 @ToString
 public class GeneralConfig {