Add Container Security Provider and Luna Security Provider frameworks

ramonskie · ramonskie · commit df21e99bc24b · 2025-11-25T23:55:22.000+01:00
Implements two security provider frameworks for Java applications:

1. Container Security Provider (1.20.0):
   - Always enabled by default (no service binding required)
   - Provides CloudFoundryContainerProvider for Java security
   - Configures JAVA_OPTS for Java 8 (extension dirs) and Java 9+ (bootstrap classpath)

2. Luna Security Provider (7.4.0):
   - Requires Luna HSM service binding
   - Installs Safenet Luna client libraries and native components
   - Configures Chrystoki.conf for HSM server connections
   - Supports HA configurations with multiple server groups

Files added:
- src/java/frameworks/container_security_provider.go (265 lines)
- src/java/frameworks/luna_security_provider.go (487 lines)

Files modified:
- manifest.yml: Added dependencies with verified SHA256 hashes
- src/java/supply/supply.go: Registered frameworks (lines 173-175)
- src/java/finalize/finalize.go: Registered frameworks (lines 168-170)
- src/integration/frameworks_test.go: Added Container Security Provider test

Integration test: Container Security Provider test passes (20.70s)
diff --git a/manifest.yml b/manifest.yml
@@ -70,6 +70,10 @@ default_versions:
   version: 14.x
 - name: sealights-agent
   version: 4.x
+- name: container-security-provider
+  version: 1.x
+- name: luna-security-provider
+  version: 7.x
 
 url_to_dependency_map:
 - match: openjdk-jre-(\d+\.\d+\.\d+)
@@ -159,6 +163,12 @@ url_to_dependency_map:
 - match: sealights-java-(\d+\.\d+\.\d+)
   name: sealights-agent
   version: $1
+- match: container-security-provider-(\d+\.\d+\.\d+)
+  name: container-security-provider
+  version: $1
+- match: luna-security-provider-(\d+\.\d+\.\d+)
+  name: luna-security-provider
+  version: $1
 
 dependency_deprecation_dates:
 - version_line: 8.x
@@ -615,3 +625,30 @@ dependencies:
   cf_stacks:
   - cflinuxfs4
   - cflinuxfs3
+
+# ========================================
+# Container Security Provider
+# ========================================
+# Repository: https://java-buildpack.cloudfoundry.org/container-security-provider/
+# Note: Always enabled by default, provides container-specific security context
+- name: container-security-provider
+  version: 1.20.0
+  uri: https://java-buildpack.cloudfoundry.org/container-security-provider/container-security-provider-1.20.0-RELEASE.jar
+  sha256: fef33f4ffec1451b97253887026ec65ad99df0d2e8f8412e50e2afe5a4f6c62d
+  cf_stacks:
+  - cflinuxfs4
+  - cflinuxfs3
+
+# ========================================
+# Luna Security Provider
+# ========================================
+# Repository: https://java-buildpack.cloudfoundry.org/luna-security-provider/
+# Note: Requires Luna HSM service binding in VCAP_SERVICES
+# Contains native libraries (libLunaAPI.so) and JARs for SafeNet Luna HSM integration
+- name: luna-security-provider
+  version: 7.4.0
+  uri: https://java-buildpack.cloudfoundry.org/luna-security-provider/LunaClient-Minimal-v7.4.0-226.x86_64.tar
+  sha256: e024103719ffa99a011607942ecddfd91c5681113e6cea27f5514bc9fa172875
+  cf_stacks:
+  - cflinuxfs4
+  - cflinuxfs3
diff --git a/src/integration/frameworks_test.go b/src/integration/frameworks_test.go
@@ -896,6 +896,20 @@ func testFrameworks(platform switchblade.Platform, fixtures string) func(*testin
 					Expect(deployment.ExternalURL).NotTo(BeEmpty())
 				})
 			})
+
+			context("with Container Security Provider", func() {
+				it("detects and configures Container Security Provider", func() {
+					deployment, logs, err := platform.Deploy.
+						WithEnv(map[string]string{
+							"BP_JAVA_VERSION": "11",
+						}).
+						Execute(name, filepath.Join(fixtures, "container_spring_boot_staged"))
+					Expect(err).NotTo(HaveOccurred(), logs.String)
+
+					Expect(logs.String()).To(ContainSubstring("Container Security Provider"))
+					Expect(deployment.ExternalURL).NotTo(BeEmpty())
+				})
+			})
 		})
 	}
 }
diff --git a/src/java/finalize/finalize.go b/src/java/finalize/finalize.go
@@ -165,6 +165,10 @@ func (f *Finalizer) finalizeFrameworks() error {
 	// mTLS Support (Priority 1)
 	registry.Register(frameworks.NewClientCertificateMapperFramework(ctx))
 
+	// Security Providers (Priority 1)
+	registry.Register(frameworks.NewContainerSecurityProviderFramework(ctx))
+	registry.Register(frameworks.NewLunaSecurityProviderFramework(ctx))
+
 	// Development Tools (Priority 1)
 	registry.Register(frameworks.NewDebugFramework(ctx))
 	registry.Register(frameworks.NewJmxFramework(ctx))
diff --git a/src/java/frameworks/container_security_provider.go b/src/java/frameworks/container_security_provider.go
@@ -0,0 +1,265 @@
+package frameworks
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strconv"
+)
+
+// ContainerSecurityProviderFramework implements container-based security provider support
+// This framework provides CloudFoundryContainerProvider for Java security integration
+type ContainerSecurityProviderFramework struct {
+	context *Context
+}
+
+// NewContainerSecurityProviderFramework creates a new container security provider framework instance
+func NewContainerSecurityProviderFramework(ctx *Context) *ContainerSecurityProviderFramework {
+	return &ContainerSecurityProviderFramework{context: ctx}
+}
+
+// Detect checks if container security provider should be included
+// Enabled by default, can be disabled via configuration
+func (c *ContainerSecurityProviderFramework) Detect() (string, error) {
+	// Enabled by default to provide container-based security
+	return "Container Security Provider", nil
+}
+
+// Supply installs the container security provider JAR
+func (c *ContainerSecurityProviderFramework) Supply() error {
+	c.context.Log.BeginStep("Installing Container Security Provider")
+
+	// Get container-security-provider dependency from manifest
+	dep, err := c.context.Manifest.DefaultVersion("container-security-provider")
+	if err != nil {
+		return fmt.Errorf("unable to determine Container Security Provider version: %w", err)
+	}
+
+	// Install container security provider JAR
+	providerDir := filepath.Join(c.context.Stager.DepDir(), "container_security_provider")
+	if err := c.context.Installer.InstallDependency(dep, providerDir); err != nil {
+		return fmt.Errorf("failed to install Container Security Provider: %w", err)
+	}
+
+	c.context.Log.Info("Installed Container Security Provider version %s", dep.Version)
+	return nil
+}
+
+// Finalize configures the container security provider for runtime
+func (c *ContainerSecurityProviderFramework) Finalize() error {
+	// Find the installed JAR
+	providerDir := filepath.Join(c.context.Stager.DepDir(), "container_security_provider")
+	jarPattern := filepath.Join(providerDir, "container-security-provider-*.jar")
+
+	matches, err := filepath.Glob(jarPattern)
+	if err != nil || len(matches) == 0 {
+		// JAR not found, might not have been installed
+		return nil
+	}
+
+	jarPath := matches[0]
+
+	// Detect Java version to determine extension mechanism
+	// Java 9+ uses root libraries (-Xbootclasspath/a), Java 8 uses extension directories
+	javaVersion, err := c.getJavaMajorVersion()
+	if err != nil {
+		c.context.Log.Warning("Unable to detect Java version, assuming Java 8: %s", err.Error())
+		javaVersion = 8
+	}
+
+	// Add to JAVA_OPTS
+	javaOpts := ""
+	if javaVersion >= 9 {
+		// Java 9+: Add to bootstrap classpath via -Xbootclasspath/a
+		javaOpts = fmt.Sprintf("-Xbootclasspath/a:%s", jarPath)
+	} else {
+		// Java 8: Use extension directory
+		javaOpts = fmt.Sprintf("-Djava.ext.dirs=%s:$JAVA_HOME/jre/lib/ext:$JAVA_HOME/lib/ext", providerDir)
+	}
+
+	// Add security provider to java.security.properties
+	// Insert at position 1 (after default providers)
+	securityProvider := "-Djava.security.properties=" + filepath.Join(c.context.Stager.DepDir(), "container_security_provider", "java.security")
+	javaOpts += " " + securityProvider
+
+	// Write security properties file
+	if err := c.writeSecurityProperties(); err != nil {
+		return fmt.Errorf("failed to write security properties: %w", err)
+	}
+
+	// Add key manager and trust manager configuration if specified
+	keyManagerEnabled := c.getKeyManagerEnabled()
+	if keyManagerEnabled != "" {
+		javaOpts += fmt.Sprintf(" -Dorg.cloudfoundry.security.keymanager.enabled=%s", keyManagerEnabled)
+	}
+
+	trustManagerEnabled := c.getTrustManagerEnabled()
+	if trustManagerEnabled != "" {
+		javaOpts += fmt.Sprintf(" -Dorg.cloudfoundry.security.trustmanager.enabled=%s", trustManagerEnabled)
+	}
+
+	// Write JAVA_OPTS to environment
+	existingOpts := os.Getenv("JAVA_OPTS")
+	if existingOpts != "" {
+		javaOpts = existingOpts + " " + javaOpts
+	}
+
+	if err := c.context.Stager.WriteEnvFile("JAVA_OPTS", javaOpts); err != nil {
+		return fmt.Errorf("failed to set JAVA_OPTS for Container Security Provider: %w", err)
+	}
+
+	return nil
+}
+
+// writeSecurityProperties writes the java.security properties file with CloudFoundryContainerProvider
+func (c *ContainerSecurityProviderFramework) writeSecurityProperties() error {
+	providerDir := filepath.Join(c.context.Stager.DepDir(), "container_security_provider")
+	securityFile := filepath.Join(providerDir, "java.security")
+
+	// Write security provider configuration
+	// Insert CloudFoundryContainerProvider at position 1
+	content := "security.provider.1=org.cloudfoundry.security.CloudFoundryContainerProvider\n"
+
+	if err := os.WriteFile(securityFile, []byte(content), 0644); err != nil {
+		return fmt.Errorf("failed to write security properties file: %w", err)
+	}
+
+	return nil
+}
+
+// getJavaMajorVersion detects the Java major version from JAVA_HOME
+func (c *ContainerSecurityProviderFramework) getJavaMajorVersion() (int, error) {
+	// Check if JAVA_HOME is set
+	javaHome := os.Getenv("JAVA_HOME")
+	if javaHome == "" {
+		return 0, fmt.Errorf("JAVA_HOME not set")
+	}
+
+	// Read release file
+	releaseFile := filepath.Join(javaHome, "release")
+	content, err := os.ReadFile(releaseFile)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read release file: %w", err)
+	}
+
+	// Parse JAVA_VERSION from release file
+	version := parseJavaVersion(string(content))
+	if version == 0 {
+		return 0, fmt.Errorf("unable to parse Java version")
+	}
+
+	return version, nil
+}
+
+// getKeyManagerEnabled returns the key_manager_enabled configuration value
+func (c *ContainerSecurityProviderFramework) getKeyManagerEnabled() string {
+	config := os.Getenv("JBP_CONFIG_CONTAINER_SECURITY_PROVIDER")
+	if config == "" {
+		return ""
+	}
+
+	// Parse configuration for key_manager_enabled
+	// Format: {key_manager_enabled: true} or {'key_manager_enabled': 'true'}
+	if contains(config, "key_manager_enabled") {
+		if contains(config, "true") {
+			return "true"
+		}
+		if contains(config, "false") {
+			return "false"
+		}
+	}
+
+	return ""
+}
+
+// getTrustManagerEnabled returns the trust_manager_enabled configuration value
+func (c *ContainerSecurityProviderFramework) getTrustManagerEnabled() string {
+	config := os.Getenv("JBP_CONFIG_CONTAINER_SECURITY_PROVIDER")
+	if config == "" {
+		return ""
+	}
+
+	// Parse configuration for trust_manager_enabled
+	// Format: {trust_manager_enabled: true} or {'trust_manager_enabled': 'true'}
+	if contains(config, "trust_manager_enabled") {
+		if contains(config, "true") {
+			return "true"
+		}
+		if contains(config, "false") {
+			return "false"
+		}
+	}
+
+	return ""
+}
+
+// parseJavaVersion parses Java major version from release file content
+func parseJavaVersion(content string) int {
+	// Look for JAVA_VERSION="1.8.0_..." or JAVA_VERSION="11.0...."
+	lines := splitByNewline(content)
+	for _, line := range lines {
+		if contains(line, "JAVA_VERSION=") {
+			// Extract version string
+			start := stringIndexOf(line, "\"")
+			if start == -1 {
+				continue
+			}
+			end := stringIndexOf(line[start+1:], "\"")
+			if end == -1 {
+				continue
+			}
+			version := line[start+1 : start+1+end]
+
+			// Parse major version
+			if stringStartsWith(version, "1.8") {
+				return 8
+			}
+			if stringStartsWith(version, "1.7") {
+				return 7
+			}
+
+			// Java 9+ format: "11.0.1" or "17.0.1"
+			dotIndex := stringIndexOf(version, ".")
+			if dotIndex > 0 {
+				major := version[:dotIndex]
+				if majorVersion, err := strconv.Atoi(major); err == nil {
+					return majorVersion
+				}
+			}
+		}
+	}
+
+	return 0
+}
+
+// Helper functions for string manipulation
+func splitByNewline(s string) []string {
+	var lines []string
+	start := 0
+	for i := 0; i < len(s); i++ {
+		if s[i] == '\n' {
+			lines = append(lines, s[start:i])
+			start = i + 1
+		}
+	}
+	if start < len(s) {
+		lines = append(lines, s[start:])
+	}
+	return lines
+}
+
+func stringIndexOf(s, substr string) int {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return i
+		}
+	}
+	return -1
+}
+
+func stringStartsWith(s, prefix string) bool {
+	if len(s) < len(prefix) {
+		return false
+	}
+	return s[:len(prefix)] == prefix
+}
diff --git a/src/java/frameworks/luna_security_provider.go b/src/java/frameworks/luna_security_provider.go
diff --git a/src/java/supply/supply.go b/src/java/supply/supply.go
