Polishing

nebhale · nebhale · commit dffe22a3376d · 2017-02-24T12:01:54.000-08:00
This change polishes up the contribution to be a bit more idomatic for the project. [cloudfoundry#385]
diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ To learn how to configure various properties of the buildpack, follow the "Confi
 	* [Play Framework Auto Reconfiguration](docs/framework-play_framework_auto_reconfiguration.md) ([Configuration](docs/framework-play_framework_auto_reconfiguration.md#configuration))
 	* [Play Framework JPA Plugin](docs/framework-play_framework_jpa_plugin.md) ([Configuration](docs/framework-play_framework_jpa_plugin.md#configuration))
 	* [PostgreSQL JDBC](docs/framework-postgresql_jdbc.md) ([Configuration](docs/framework-postgresql_jdbc.md#configuration))
+	* [ProtectApp Security Provider](docs/framework-protect_app_security_provider.md) ([Configuration](docs/framework-protect_app_security_provider.md#configuration))
 	* [Spring Auto Reconfiguration](docs/framework-spring_auto_reconfiguration.md) ([Configuration](docs/framework-spring_auto_reconfiguration.md#configuration))
 	* [Spring Insight](docs/framework-spring_insight.md)
 	* [YourKit Profiler](docs/framework-your_kit_profiler.md) ([Configuration](docs/framework-your_kit_profiler.md#configuration))
diff --git a/config/components.yml b/config/components.yml
@@ -52,7 +52,7 @@ frameworks:
   - "JavaBuildpack::Framework::NewRelicAgent"
   - "JavaBuildpack::Framework::PlayFrameworkAutoReconfiguration"
   - "JavaBuildpack::Framework::PlayFrameworkJPAPlugin"
-  - "JavaBuildpack::Framework::PostgresqlJDBC
+  - "JavaBuildpack::Framework::PostgresqlJDBC"
   - "JavaBuildpack::Framework::ProtectAppSecurityProvider"
   - "JavaBuildpack::Framework::SpringAutoReconfiguration"
   - "JavaBuildpack::Framework::SpringInsight"
diff --git a/docs/framework-protect_app_security_provider.md b/docs/framework-protect_app_security_provider.md
@@ -1,5 +1,5 @@
 # ProtectApp Security Provider Framework
-The ProtectApp Security Provider Framework causes an application to be automatically configured to work with a bound [ProtectApp Security Service][]. 
+The ProtectApp Security Provider Framework causes an application to be automatically configured to work with a bound [ProtectApp Security Service][].
 
 <table>
   <tr>
@@ -20,65 +20,61 @@ When binding to the ProtectApp Security Provider using a user-provided service,
 | Name | Description
 | ---- | -----------
 | `client` | The client configuration
-| `trustedcerts` | An array of certs containing trust information
+| `trusted_certificates` | An array of certs containing trust information
 | `NAE_IP.1` | A list of KeySecure server ips or hostnames to be used
 | `***` | (Optional) Any additional entries will be applied as a system property appended to `-Dcom.ingrian.security.nae.` to allow full configuration of the library.
 
-
 #### Client Configuration
 | Name | Description
 | ---- | -----------
 | `certificate` | A PEM encoded client certificate
-| `private-key` | A PEM encoded client private key
+| `private_key` | A PEM encoded client private key
 
 #### Trusted Certs Configuration
-One or more PEM encoded certificate 
-
+One or more PEM encoded certificate
 
 ### Example Credentials Payload
 ```
 {
   "client": {
     "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
-    "private-key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
+    "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
   },
-  "trustedcerts": [
-    "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
-    ,
+  "trusted_certificates": [
+    "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
     "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
   ],
   "NAE_IP.1": "192.168.1.25:192.168.1.26"
-  
 }
 ```
 
 ### Creating Credential Payload
 In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following
 
 ```
-$ cf create-user-provided-service protectapp -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----","private-key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n"},"trustedcerts":["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"],NAE_IP.1":"172.17.34.100"}
+$ cf create-user-provided-service protectapp -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private_key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"trusted_certificates":["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"],"NAE_IP.1":"192.168.1.25:192.168.1.26"}'
 ```
 
-
 You may want to use a file for this
 
 Note the client portion is very exacting and needs line breaks in the body every 64 characters.
 
-	1. The file must contain:
-	-----BEGIN CERTIFICATE-----
-	on a separate line (i.e. it must be terminated with a newline).
-	2. Each line of "gibberish" must be 64 characters wide.
-	3. The file must end with:
-	-----END CERTIFICATE-----
-	and also be terminated with a newline.
-	4. Don't save the cert text with Word. It must be in ASCII.
-	5. Don't mix DOS and UNIX style line terminations.
+1. The file must contain:
+`-----BEGIN CERTIFICATE-----`
+on a separate line (i.e. it must be terminated with a newline).
+1. Each line of "gibberish" must be 64 characters wide.
+1. The file must end with:
+`-----END CERTIFICATE-----`
+and also be terminated with a newline.
+1. Don't save the cert text with Word. It must be in ASCII.
+1. Don't mix DOS and UNIX style line terminations.
 
 So, here are a few steps you can take to normalize your certificate:
-	1. Run it through dos2unix
-	   dos2unix cert.pem
-	2. Run it through fold
-	   fold -w 64 cert.pem
+
+1. Run it through `dos2unix`
+`$ dos2unix cert.pem`
+1. Run it through `fold`
+`$ fold -w 64 cert.pem`
 
 ## Configuration
 For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to [Configuration and Extension][].
@@ -91,7 +87,7 @@ The framework can be configured by modifying the [`config/protect_app_security_p
 | `version` | Version of the ProtectApp Security Provider to use.
 
 ### Additional Resources
-The framework can also be configured by overlaying a set of resources on the default distribution.  To do this, add files to the `resources/pprotect_app_security_provider` directory in the buildpack fork.
+The framework can also be configured by overlaying a set of resources on the default distribution.  To do this, add files to the `resources/protect_app_security_provider` directory in the buildpack fork.
 
 [`config/protect_app_security_provider.yml`]: ../config/protect_app_security_provider.yml
 [ProtectApp Security Service]: https://safenet.gemalto.com/data-encryption/protectapp-application-protection/
diff --git a/lib/java_buildpack/framework/protect_app_security_provider.rb b/lib/java_buildpack/framework/protect_app_security_provider.rb
@@ -30,108 +30,61 @@ class ProtectAppSecurityProvider < JavaBuildpack::Component::VersionedDependency
 
       # (see JavaBuildpack::Component::BaseComponent#compile)
       def compile
-        download_zip
-
-		# copy default properties file
+        download_zip false
         @droplet.copy_resources
 
         credentials = @application.services.find_service(FILTER)['credentials']
-		
-        write_client credentials['client']
-        write_trusted_certs credentials['trustedcerts']
-				
-        certificates.each_with_index { |certificate, index| add_certificate certificate, index }
-        
-		# setup java keystore with provided values
-		merge_clientcert
-		import_clientcert
-		
+
+        pkcs12 = merge_client_credentials credentials['client']
+        add_client_credentials pkcs12
+
+        add_trusted_certificates credentials['trusted_certificates']
       end
 
       # (see JavaBuildpack::Component::BaseComponent#release)
       def release
-		credentials = @application.services.find_service(FILTER)['credentials']
+        credentials = @application.services.find_service(FILTER)['credentials']
         java_opts   = @droplet.java_opts
-		configuration = {}
-		
-		filter_known_input(credentials, configuration)
-		
-        write_java_opts(java_opts, configuration)
-        @droplet.java_opts
+
+        java_opts
           .add_system_property('java.ext.dirs', ext_dirs)
-		  .add_system_property('com.ingrian.security.nae.IngrianNAE_Properties_Conf_Filename', @droplet.sandbox + 'IngrianNAE.properties')
-		  .add_system_property('com.ingrian.security.nae.Key_Store_Location', key_store)
+          .add_system_property('java.security.properties', @droplet.sandbox + 'java.security')
+          .add_system_property('com.ingrian.security.nae.IngrianNAE_Properties_Conf_Filename',
+                               @droplet.sandbox + 'IngrianNAE.properties')
+          .add_system_property('com.ingrian.security.nae.Key_Store_Location', keystore)
           .add_system_property('com.ingrian.security.nae.Key_Store_Password', password)
+
+        credentials
+          .reject { |key, _| key =~ /^client$/ || key =~ /^trusted_certificates$/ }
+          .each { |key, value| java_opts.add_system_property("com.ingrian.security.nae.#{key}", value) }
       end
 
       protected
 
       # (see JavaBuildpack::Component::VersionedDependencyComponent#supports?)
       def supports?
-        @application.services.one_service? FILTER, 'client', 'trustedcerts'
+        @application.services.one_service? FILTER, 'client', 'trusted_certificates'
       end
 
       private
 
-      FILTER = /protectapp/.freeze
+      FILTER = /protectapp/
 
       private_constant :FILTER
-	  
-	  def merge_clientcert
-		
-        shell "openssl pkcs12 -export -in #{client_certificate} -inkey  #{client_private_key} -name  #{myclientcert} -out  #{myp12} -passout pass:#{password}" 
-      end
-	  
-	  def import_clientcert
-	  
-        shell "#{keytool} -importkeystore -noprompt -destkeystore #{key_store} -deststorepass #{password} " \
-			  "-srckeystore #{myp12} -srcstorepass #{password} -srcstoretype pkcs12" \
-              " -alias #{myclientcert}"
-      end
 
-     def add_certificate(certificate, index)
-
-        file = write_certificate certificate
-        shell "#{keytool} -importcert -noprompt -keystore #{key_store} -storepass #{password} " \
-              "-file #{file.to_path} -alias certificate-#{index}"
-      end
-	  
-      def certificates
-        certificates = []
-
-        certificate = nil
-        File.open(trusted_certificates).each_line do |line|
-          if line =~ /BEGIN CERTIFICATE/
-            certificate = line
-          elsif line =~ /END CERTIFICATE/
-            certificate += line
-            certificates << certificate
-            certificate = nil
-          elsif !certificate.nil?
-            certificate += line
-          end
-        end
-
-        certificates
-      end
-
-      def keytool
-        @droplet.java_home.root + 'bin/keytool'
-      end
-
-      def password
-        'nae-jks-password'
+      def add_client_credentials(pkcs12)
+        shell "#{keytool} -importkeystore -noprompt -destkeystore #{keystore} -deststorepass #{password} " \
+              "-srckeystore #{pkcs12.path} -srcstorepass #{password} -srcstoretype pkcs12" \
+              " -alias #{File.basename(pkcs12)}"
       end
 
-      def key_store
-        @droplet.sandbox + 'keystore.jks'
-      end
+      def add_trusted_certificates(trusted_certificates)
+        trusted_certificates.each do |certificate|
+          pem = write_certificate certificate
 
-      def write_certificate(certificate)
-        file = Tempfile.new('certificate-')
-        file.write(certificate)
-        file.fsync
-        file
+          shell "#{keytool} -importcert -noprompt -keystore #{keystore} -storepass #{password} " \
+                "-file #{pem.path} -alias #{File.basename(pem)}"
+        end
       end
 
       def ext_dir
@@ -142,54 +95,45 @@ def ext_dirs
         "#{qualify_path(@droplet.java_home.root + 'lib/ext', @droplet.root)}:" \
         "#{qualify_path(ext_dir, @droplet.root)}"
       end
-	  
-	  def client_certificate
-		File.join(Dir.tmpdir,'/client-certificate.pem')
-      end
 
-      def client_private_key
-		File.join(Dir.tmpdir,'/client-private-key.pem')
+      def keystore
+        @droplet.sandbox + 'nae-keystore.jks'
       end
 
-      def trusted_certificates
-        File.join(Dir.tmpdir, 'trusted_certificates.pem')
-      end
-	  
-	  def myclientcert
-        'myclientcert'
-      end
-	  
-	  def myp12
-        File.join(Dir.tmpdir,'/clientwrap.p12')
+      def keytool
+        @droplet.java_home.root + 'bin/keytool'
       end
 
-      def write_client(client)
-        File.open(client_certificate, File::CREAT | File::WRONLY) do |f|
-          f.write "#{client['certificate']}\n"
-        end
+      def merge_client_credentials(credentials)
+        certificate = write_certificate credentials['certificate']
+        private_key = write_private_key credentials['private_key']
 
-        File.open(client_private_key, File::CREAT | File::WRONLY) do |f|
-          f.write "#{client['private-key']}\n"
-        end
+        pkcs12 = Tempfile.new('pkcs12-')
+        pkcs12.close
+
+        shell "openssl pkcs12 -export -in #{certificate.path} -inkey #{private_key.path} " \
+              "-name #{File.basename(pkcs12)} -out #{pkcs12.path} -passout pass:#{password}"
+
+        pkcs12
       end
-	  
-      def write_trusted_certs(trusted_certs)
-        File.open(trusted_certificates,File::CREAT | File::WRONLY) do |f|
-          trusted_certs.each { |cert| f.write "#{cert}\n" }
-        end
+
+      def password
+        'nae-keystore-password'
       end
-	  
-	  def filter_known_input(credentials, configuration)
-		credentials.each do |key, value|
-		  if key != "client" and key != "trustedcerts"
-		    configuration[key] = value
-		  end
+
+      def write_certificate(certificate)
+        Tempfile.open('certificate-') do |f|
+          f.write "#{certificate}\n"
+          f.sync
+          f
         end
-	  end
-	  
-	  def write_java_opts(java_opts, configuration2)
-        configuration2.each do |key, value|
-          	java_opts.add_system_property("com.ingrian.security.nae.#{key}", value )
+      end
+
+      def write_private_key(private_key)
+        Tempfile.open('private-key-') do |f|
+          f.write "#{private_key}\n"
+          f.sync
+          f
         end
       end
 
diff --git a/resources/protect_app_security_provider/java.security b/resources/protect_app_security_provider/java.security
@@ -0,0 +1 @@
+security.provider.10=com.ingrian.security.nae.IngrianProvider
diff --git a/spec/fixtures/stub-protect-app-security-provider.zip b/spec/fixtures/stub-protect-app-security-provider.zip
diff --git a/spec/java_buildpack/framework/protect_app_security_provider_spec.rb b/spec/java_buildpack/framework/protect_app_security_provider_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+security.provider.10=com.ingrian.security.nae.IngrianProvider`