Add Client Certificate Mapper framework for mTLS support

ramonskie · ramonskie · commit 705b4ccb7b96 · 2025-11-25T22:36:40.000+01:00
- Implement complete Client Certificate Mapper framework
- Add isEnabled() method to respect configuration
- Default to enabled for mTLS client certificate authentication
- Register framework in both supply and finalize phases
- Add manifest entry with SHA256 hash verification
- Include 2 integration tests (both passing)

The framework maps Cloud Foundry X-Forwarded-Client-Cert headers
to javax.servlet.request.X509Certificate for Java applications.

Users can disable with:
JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER='{enabled: false}'
diff --git a/manifest.yml b/manifest.yml
@@ -36,6 +36,8 @@ default_versions:
   version: 2.x
 - name: java-cfenv
   version: 3.x
+- name: client-certificate-mapper
+  version: 2.x
 - name: postgresql-jdbc
   version: 42.x
 - name: mariadb-jdbc
@@ -106,6 +108,9 @@ url_to_dependency_map:
 - match: java-cfenv-(\d+\.\d+\.\d+)
   name: java-cfenv
   version: $1
+- match: client-certificate-mapper-(\d+\.\d+\.\d+)
+  name: client-certificate-mapper
+  version: $1
 - match: postgresql-(\d+\.\d+\.\d+)
   name: postgresql-jdbc
   version: $1
@@ -471,6 +476,15 @@ dependencies:
   - cflinuxfs4
   - cflinuxfs3
 
+# Client Certificate Mapper (mTLS support)
+- name: client-certificate-mapper
+  version: 2.0.1
+  uri: https://java-buildpack.cloudfoundry.org/client-certificate-mapper/client-certificate-mapper-2.0.1.jar
+  sha256: f7f53a460bcd4b0cead4da99dcb251bd283bd5fa4e421eeb52b86986d266cde9
+  cf_stacks:
+  - cflinuxfs4
+  - cflinuxfs3
+
 # PostgreSQL JDBC Driver
 - name: postgresql-jdbc
   version: 42.7.4
diff --git a/src/integration/frameworks_test.go b/src/integration/frameworks_test.go
@@ -517,6 +517,38 @@ func testFrameworks(platform switchblade.Platform, fixtures string) func(*testin
 			})
 		})
 
+		context("mTLS Support", func() {
+			context("with Client Certificate Mapper enabled", func() {
+				it("detects and installs Client Certificate Mapper for mTLS support", func() {
+					deployment, logs, err := platform.Deploy.
+						WithEnv(map[string]string{
+							"BP_JAVA_VERSION":                      "11",
+							"JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER": "'{enabled: true}'",
+						}).
+						Execute(name, filepath.Join(fixtures, "container_tomcat"))
+					Expect(err).NotTo(HaveOccurred(), logs.String)
+
+					// Client Certificate Mapper should be detected and installed
+					Expect(logs.String()).To(ContainSubstring("Client Certificate Mapper"))
+					Expect(deployment.ExternalURL).NotTo(BeEmpty())
+				})
+
+				it("skips Client Certificate Mapper when disabled", func() {
+					deployment, logs, err := platform.Deploy.
+						WithEnv(map[string]string{
+							"BP_JAVA_VERSION":                      "11",
+							"JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER": "'{enabled: false}'",
+						}).
+						Execute(name, filepath.Join(fixtures, "container_tomcat"))
+					Expect(err).NotTo(HaveOccurred(), logs.String)
+
+					// Should not install when explicitly disabled
+					Expect(logs.String()).NotTo(ContainSubstring("Client Certificate Mapper"))
+					Expect(deployment.ExternalURL).NotTo(BeEmpty())
+				})
+			})
+		})
+
 		context("Utility Frameworks", func() {
 			context("with Debug enabled", func() {
 				it("configures remote debugging via JDWP", func() {
diff --git a/src/java/finalize/finalize.go b/src/java/finalize/finalize.go
@@ -162,6 +162,9 @@ func (f *Finalizer) finalizeFrameworks() error {
 	registry.Register(frameworks.NewPostgresqlJdbcFramework(ctx))
 	registry.Register(frameworks.NewMariaDBJDBCFramework(ctx))
 
+	// mTLS Support (Priority 1)
+	registry.Register(frameworks.NewClientCertificateMapperFramework(ctx))
+
 	// Development Tools (Priority 1)
 	registry.Register(frameworks.NewDebugFramework(ctx))
 	registry.Register(frameworks.NewJmxFramework(ctx))
diff --git a/src/java/frameworks/client_certificate_mapper.go b/src/java/frameworks/client_certificate_mapper.go
@@ -0,0 +1,100 @@
+package frameworks
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// ClientCertificateMapperFramework implements mTLS client certificate mapper support
+// This framework provides automatic mapping of Cloud Foundry client certificates
+// for mutual TLS (mTLS) authentication in Java applications
+type ClientCertificateMapperFramework struct {
+	context *Context
+}
+
+// NewClientCertificateMapperFramework creates a new client certificate mapper framework instance
+func NewClientCertificateMapperFramework(ctx *Context) *ClientCertificateMapperFramework {
+	return &ClientCertificateMapperFramework{context: ctx}
+}
+
+// Detect checks if client certificate mapper should be included
+// Enabled by default to support mTLS scenarios, can be disabled via configuration
+func (c *ClientCertificateMapperFramework) Detect() (string, error) {
+	// Check if explicitly disabled via configuration
+	if !c.isEnabled() {
+		return "", nil
+	}
+
+	// Enabled by default to support mTLS client certificate authentication
+	return "Client Certificate Mapper", nil
+}
+
+// Supply installs the client certificate mapper JAR
+func (c *ClientCertificateMapperFramework) Supply() error {
+	c.context.Log.BeginStep("Installing Client Certificate Mapper")
+
+	// Get client-certificate-mapper dependency from manifest
+	dep, err := c.context.Manifest.DefaultVersion("client-certificate-mapper")
+	if err != nil {
+		return fmt.Errorf("unable to determine Client Certificate Mapper version: %w", err)
+	}
+
+	// Install client certificate mapper JAR
+	mapperDir := filepath.Join(c.context.Stager.DepDir(), "client_certificate_mapper")
+	if err := c.context.Installer.InstallDependency(dep, mapperDir); err != nil {
+		return fmt.Errorf("failed to install Client Certificate Mapper: %w", err)
+	}
+
+	c.context.Log.Info("Installed Client Certificate Mapper version %s", dep.Version)
+	return nil
+}
+
+// Finalize adds the client certificate mapper JAR to the application classpath
+func (c *ClientCertificateMapperFramework) Finalize() error {
+	// Find the installed JAR
+	mapperDir := filepath.Join(c.context.Stager.DepDir(), "client_certificate_mapper")
+	jarPattern := filepath.Join(mapperDir, "client-certificate-mapper-*.jar")
+
+	matches, err := filepath.Glob(jarPattern)
+	if err != nil || len(matches) == 0 {
+		// JAR not found, might not have been installed
+		return nil
+	}
+
+	// Add to classpath via CLASSPATH environment variable
+	classpath := os.Getenv("CLASSPATH")
+	if classpath != "" {
+		classpath += ":"
+	}
+	classpath += matches[0]
+
+	if err := c.context.Stager.WriteEnvFile("CLASSPATH", classpath); err != nil {
+		return fmt.Errorf("failed to set CLASSPATH for Client Certificate Mapper: %w", err)
+	}
+
+	return nil
+}
+
+// isEnabled checks if client certificate mapper is enabled
+// Default is true (enabled) to support mTLS scenarios unless explicitly disabled
+func (c *ClientCertificateMapperFramework) isEnabled() bool {
+	// Check JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER environment variable
+	config := os.Getenv("JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER")
+
+	// Parse the config to check for enabled: false
+	// For simplicity, if JBP_CONFIG_CLIENT_CERTIFICATE_MAPPER is set and contains "enabled", check its value
+	// A more robust implementation would parse YAML
+	if config != "" {
+		// Simple check: if it contains "enabled: false" or "'enabled': false"
+		if contains(config, "enabled: false") || contains(config, "'enabled': false") {
+			return false
+		}
+		if contains(config, "enabled: true") || contains(config, "'enabled': true") {
+			return true
+		}
+	}
+
+	// Default to enabled (to support mTLS client certificate authentication)
+	return true
+}
diff --git a/src/java/supply/supply.go b/src/java/supply/supply.go
@@ -167,6 +167,9 @@ func (s *Supplier) installFrameworks() error {
 	registry.Register(frameworks.NewPostgresqlJdbcFramework(ctx))
 	registry.Register(frameworks.NewMariaDBJDBCFramework(ctx))
 
+	// mTLS Support (Priority 1)
+	registry.Register(frameworks.NewClientCertificateMapperFramework(ctx))
+
 	// Development Tools (Priority 1)
 	registry.Register(frameworks.NewDebugFramework(ctx))
 	registry.Register(frameworks.NewJmxFramework(ctx))
