Merge pull request #48 from Axway-API-Management-Plus/cassandra_client_auth

Cassandra client auth

Author: rathnapandi

.github/badges/jacoco.svg

@@ -6,7 +6,7 @@
 
     <groupId>com.axway</groupId>
     <artifactId>apim-env-module</artifactId>
-    <version>1.1.9</version>
+    <version>1.1.10</version>
 
     <name>apim-env-module</name>
     <url>https://axway.com</url>

README.md

@@ -72,21 +72,28 @@ public void updatePassword(EntityStore entityStore) {
                     disableInterface(entityStore, filterName, "InetInterface");
                 }
             } else if (key.equalsIgnoreCase("cassandra_disablessl")) {
-                if (passwordValue.equalsIgnoreCase("true")) {
-                    disableCassandraSSL(entityStore);
-                }
+                disableCassandraSSL(entityStore, passwordValue);
             } else if (key.startsWith("cassandraCert")) {
                 try {
-                    List<X509Certificate> certificates = certHelper.parseX509(passwordValue);
-                    int index = 0;
-                    for (X509Certificate certificate : certificates) {
-                        String alias = importPublicCertificate(certificate, entityStore);
-                        if (alias != null) {
-                            updateCassandraCert(entityStore, alias, index != 0);
-                            index++;
+                    String pemKey = System.getenv("cassandra_private_key");
+                    String publicKey = System.getenv("cassandra_public_key");
+                    if( pemKey != null && publicKey != null) {
+                        PKCS12 pkcs12 = importCertAndKeyAndCA(entityStore, publicKey, passwordValue, pemKey, null);
+                        Trace.info("Pem file alias name :" + pkcs12.getAlias());
+                        updateCassandraCertAndKey(entityStore, pkcs12.getAlias(), pkcs12.getCertificates());
+                    }else {
+                        List<X509Certificate> certificates = certHelper.parseX509(passwordValue);
+
+                        int index = 0;
+                        for (X509Certificate certificate : certificates) {
+                            String alias = importPublicCertificate(certificate, entityStore);
+                            if (alias != null) {
+                                updateCassandraCert(entityStore, alias, index != 0);
+                                index++;
+                            }
                         }
                     }
-                } catch (CertificateException | FileNotFoundException e) {
+                } catch (Exception e) {
                     Trace.error("Unable to add Cassandra certificate from Environment variable", e);
                 }
             } else if (key.startsWith("certandkey_")) {
@@ -375,22 +382,52 @@ public void updateCassandraPassword(EntityStore entityStore, char[] password) {
         entityStore.updateEntity(entity);
     }
 
-    public void updateCassandraCert(EntityStore entityStore, String alias, boolean append) {
+
+
+    public void updateCassandraCertAndKey(EntityStore entityStore, String clientAuthAlias, Certificate[] certificates) {
+        Entity entity = getCassandraEntity(entityStore);
+        boolean useSSL = entity.getBooleanValue("useSSL");
+        if (useSSL) {
+
+            String clientAuth = "sslCertificate";
+            updateCertEntity(entityStore, entity, clientAuthAlias, clientAuth, false);
+            String filedName = "sslTrustedCerts";
+
+            if( certificates.length > 1){
+                // Start from 1 To ignore public key associated with private key
+                for (int i = 1; i < certificates.length; i++) {
+                    Certificate certificate = certificates[i];
+                    String alias = Util.getAliasName((X509Certificate) certificate);
+                    updateCertEntity(entityStore, entity, alias, filedName, true);
+                }
+            }
+        }
+    }
+
+    public Entity  getCassandraEntity(EntityStore entityStore){
         String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
-        Entity entity = getEntity(entityStore, shorthandKey);
+        return getEntity(entityStore, shorthandKey);
+    }
+
+    public void updateCassandraCert(EntityStore entityStore, String alias, boolean append) {
+        Entity entity = getCassandraEntity(entityStore);
         boolean useSSL = entity.getBooleanValue("useSSL");
         if (useSSL) {
             String filedName = "sslTrustedCerts";
             updateCertEntity(entityStore, entity, alias, filedName, append);
         }
     }
 
-    public void disableCassandraSSL(EntityStore entityStore) {
+    public void disableCassandraSSL(EntityStore entityStore, String value) {
         String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
         Entity entity = getEntity(entityStore, shorthandKey);
-        entity.setBooleanField("useSSL", false);
+        boolean boolValue = Boolean.parseBoolean(value);
+        entity.setBooleanField("useSSL", !boolValue);
         entityStore.updateEntity(entity);
-        Trace.info("Disabled Cassandra SSL");
+        if(!boolValue)
+            Trace.info("Disabled Cassandra SSL");
+        else
+            Trace.info("Enabled Cassandra SSL");
     }
 
     // Supports both HTTP and HTTPS interfaces where interfaceType are InetInterface, SSLInterface
@@ -415,7 +452,6 @@ private String importPublicCertificate(X509Certificate certificate, EntityStore
             String escapedAlias = ShorthandKeyFinder.escapeFieldValue(alias);
             Entity certEntity = getCertEntity(entityStore, escapedAlias);
             Trace.info("Alias :" + alias + "Escaped alias :" + escapedAlias);
-
             if (certEntity == null) {
                 Trace.info("Adding cert");
                 certEntity = EntityStoreDelegate.createDefaultedEntity(entityStore, "Certificate");
@@ -498,14 +534,16 @@ private void updateCertEntity(EntityStore entityStore, Entity entity, String ali
                 String certStoreDistinguishedName = espk.getFieldValueOfReferencedEntity("dname");
                 Trace.info(" alias name from Gateway Cert store :" + certStoreDistinguishedName);
                 if (certStoreDistinguishedName.equals(alias)) {
-                    Trace.info("Removing existing certs" + alias);
+                    Trace.info("Removing existing cert as it matches the current cert" + alias);
                     values.remove(value);
+                    continue;
                 }
-                Trace.info("adding " + alias);
-                values.add(new Value(portableESPK));
             }
+            Trace.info("adding " + alias);
+            values.add(new Value(portableESPK));
             field.setValues(values);
         } else {
+            Trace.debug("Replacing exising cert reference");
             entity.setReferenceField(fieldName, portableESPK);
         }
         entityStore.updateEntity(entity);

pom.xml

@@ -1,5 +1,6 @@
 package com.axway;
 
+import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
@@ -30,4 +31,14 @@ public static Map<String, Map<String, String>> parseCred(Map<String, String> env
         }
         return values;
     }
+
+    public static String getAliasName(X509Certificate certificate){
+
+
+        String alias = certificate.getSubjectDN().getName();
+        if (alias.equals("")) {
+            alias = certificate.getSerialNumber().toString();
+        }
+        return alias;
+    }
 }

src/main/java/com/axway/ExternalConfigLoader.java

@@ -3,6 +3,7 @@
 import com.vordel.es.Entity;
 import com.vordel.es.EntityStore;
 import com.vordel.es.EntityStoreFactory;
+import com.vordel.es.Value;
 import com.vordel.es.util.ShorthandKeyFinder;
 import com.vordel.es.xes.PortableESPK;
 import com.vordel.trace.Trace;
@@ -25,6 +26,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.*;
+import java.util.stream.Collectors;
 
 import static org.powermock.api.mockito.PowerMockito.mockStatic;
 
@@ -79,12 +81,26 @@ public void testDisableInterface(){
     @Test
     public void testDisableCassandraSSL(){
 
-        externalConfigLoader.disableCassandraSSL(entityStore);
+        externalConfigLoader.disableCassandraSSL(entityStore, "true");
         String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
         Entity entity = externalConfigLoader.getEntity(entityStore, shorthandKey);
+        System.out.println(entity.getBooleanValue("useSSL"));
         Assert.assertFalse(entity.getBooleanValue("useSSL"));
     }
 
+    @Test
+    public void testEnableCassandraSSL() throws NoSuchFieldException, IllegalAccessException{
+
+        Map<String, String> envVars =  new HashMap<>();
+        envVars.put("cassandra_disablessl", "false");
+        setupEnvVariables(envVars);
+        externalConfigLoader.updatePassword(entityStore);
+        String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
+        Entity entity = externalConfigLoader.getEntity(entityStore, shorthandKey);
+        Assert.assertTrue(entity.getBooleanValue("useSSL"));
+    }
+
+
 
     @Test
     public void testUpdateLDAP(){
@@ -237,6 +253,8 @@ public void testUpdateCassandraCert() throws NoSuchFieldException, IllegalAccess
             "PLHu3INlHcXQs3AY0wNBLhL2jBwZ0uwBYK+entFpCgb+Z+RQ+uxs3joYuKEMj6M6\n" +
             "6Xi8yAoGAN92VRi93iss3A7zoAsrPXCO7pNZdz3QzJ3Jjv9KW48DmQ==\n" +
             "-----END CERTIFICATE-----";
+
+
         envVars.put("cassandraCert_root", certificate);
         setupEnvVariables(envVars);
         String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
@@ -249,6 +267,59 @@ public void testUpdateCassandraCert() throws NoSuchFieldException, IllegalAccess
 
     }
 
+
+    @Test
+    public void testUpdateCassandraCertAndKey() throws NoSuchFieldException, IllegalAccessException {
+
+        Map<String, String> envVars =  new HashMap<>();
+        String certificate = "-----BEGIN CERTIFICATE-----\n" +
+            "MIICxDCCAaygAwIBAgIGAW5HwjW7MA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMM\n" +
+            "BkRvbWFpbjAgFw0xOTEwMzEyMTI1NDBaGA8yMTE5MTAxNDIxMjU0MFowETEPMA0G\n" +
+            "A1UEAwwGRG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlX2n\n" +
+            "ePJaDMGWpNUwgyCfyDVIMjLKRjvJ7bID+BF+LI9gxJ2mUVFXl822fT3m2BR5oG8s\n" +
+            "N/8JgvM+ie2PHxAWYokQcRSwYAFmMMMKp69M8sqAJHrm/QoVvFwCFVm+7DqJVKWu\n" +
+            "q5K+J+ophJQNhvSl0KLorFI8IodLZq5cDtyhfaB27Zbk1A9ha4PfXmnoFWbDwoZU\n" +
+            "UanoUy3xisbZ6HTvGKkawn53XaRJo5rn13b/9Np8PCJZLNmAiWoIB3NVyetwxS5C\n" +
+            "4FwIm2ZRJZny5l+CgJ9Frs9Y0teAz4Z1bqJWn+kfBCxGW8Ab7W7t6ah3a/WoQxi2\n" +
+            "HDU/134lBvoPhh9udwIDAQABoyAwHjAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQE\n" +
+            "AwICvDANBgkqhkiG9w0BAQsFAAOCAQEAlEo5pn1j8spkVg3RbLap80iwo8Slk+Fw\n" +
+            "v8tGqR+GJEiJXDgnPPDMkrE+wtC1kT4VxyQw8D0eittUPjFmoMdxoUwM5Ddf4qS7\n" +
+            "3LBO74CULyFZ0teyJoaVBjaG6MTg0ZfwUZt552IVLBgjbbE/yYu/dOJckpZlcZE7\n" +
+            "yRw3ffr/trqh2B5tzwJMnWsakRwAtooRJ2RZ8ufQUhEYdI/7KJajZDQ0IFxleyPZ\n" +
+            "PLHu3INlHcXQs3AY0wNBLhL2jBwZ0uwBYK+entFpCgb+Z+RQ+uxs3joYuKEMj6M6\n" +
+            "6Xi8yAoGAN92VRi93iss3A7zoAsrPXCO7pNZdz3QzJ3Jjv9KW48DmQ==\n" +
+            "-----END CERTIFICATE-----";
+
+        String pemKey = "src/test/resources/acp-key.pem";
+        String cert = "src/test/resources/acp-crt.pem";
+
+
+        envVars.put("cassandraCert_root", certificate);
+        envVars.put("cassandra_private_key", pemKey);
+        envVars.put("cassandra_public_key", cert);
+
+        setupEnvVariables(envVars);
+        String shorthandKey = "/[CassandraSettings]name=Cassandra Settings";
+        Entity entity = externalConfigLoader.getEntity(entityStore, shorthandKey);
+        entity.setBooleanField("useSSL", true);
+        entityStore.updateEntity(entity);
+        externalConfigLoader.updatePassword(entityStore);
+        entity = externalConfigLoader.getEntity(entityStore, shorthandKey);
+        String certAlias = "/[Certificates]name=Certificate Store/[Certificate]dname=CN=Domain";
+        List<Value> values = entity.getField("sslTrustedCerts").getValueList();
+
+        System.out.println(values);
+        System.out.println(values.size());
+        List<Value> filteredValues = values.stream().filter(value -> ((PortableESPK)value.getRef()).toShorthandString().equals(certAlias)).collect(Collectors.toList());
+
+        Assert.assertEquals("sslTrustedCerts", certAlias, ((PortableESPK)filteredValues.get(0).getRef()).toShorthandString());
+        Assert.assertEquals("sslCertificate", "/[Certificates]name=Certificate Store/[Certificate]dname=213910179734667807042092962809881497910", ((PortableESPK)entity.getField("sslCertificate").getValueList().get(0).getRef()).toShorthandString());
+
+
+    }
+
+
+
     @Test
     public void testUpdateCassandraKPSTablesConsistencyLevel(){
 

src/main/java/com/axway/Util.java

@@ -1 +1 @@
-cf683379d11b876556502b0c76ea031796da4cd3c5537ad5346037db4ccc9b3f
+446511abc9f9cd7584f5009fbbc2b455562be047a09f2b53d9e0d1960adcac01