Skip to content

Commit 378f420

Browse files
nebhalenebhale
committed
Merge 104557654-luna-ha to master
[Completes #104557654]
2 parents 0ae541e + 529d109 commit 378f420

File tree

8 files changed

+259
-74
lines changed

8 files changed

+259
-74
lines changed

docs/framework-luna_security_provider.md

+63-5
Original file line numberDiff line numberDiff line change
@@ -19,12 +19,70 @@ When binding to the Luna Security Provider using a user-provided service, it mus
1919

2020
| Name | Description
2121
| ---- | -----------
22-
| `host` | The controller host name
23-
| `host-certificate` | A PEM encoded host certificate
24-
| `client-private-key` | A PEM encoded client private key
25-
| `client-certificate` | A PEM encoded client certificate
22+
| `client` | A hash containing client configuration
23+
| `servers` | An array of hashes containing server configuration
24+
| `groups` | An array of hashes containing group configuration
2625

27-
To provide more complex values such as the PEM certificates, using the interactive mode when creating a user-provided service will manage the character escaping automatically.
26+
#### Client Configuration
27+
| Name | Description
28+
| ---- | -----------
29+
| `certificate` | A PEM encoded client certificate
30+
| `private-key` | A PEM encoded client private key
31+
32+
#### Server Configuration
33+
| Name | Description
34+
| ---- | -----------
35+
| `certificate` | A PEM encoded server certificate
36+
| `name` | A host name or address
37+
38+
#### Group Configuration
39+
| Name | Description
40+
| ---- | -----------
41+
| `label` | The label for the group
42+
| `members` | An array of group member serial numbers
43+
44+
### Example Credentials Payload
45+
```
46+
{
47+
"client": {
48+
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
49+
"private-key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
50+
},
51+
"servers": [
52+
{
53+
"name": "test-host-1",
54+
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
55+
},
56+
{
57+
"name": "test-host-2",
58+
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
59+
}
60+
],
61+
"groups": [
62+
{
63+
"label": "test-group-1",
64+
"members": [
65+
"test-serial-number-1",
66+
"test-serial-number-2"
67+
]
68+
},
69+
{
70+
"label": "test-group-2",
71+
"members": [
72+
"test-serial-number-3",
73+
"test-serial-number-4"
74+
]
75+
}
76+
]
77+
}
78+
```
79+
80+
### Creating Credential Payload
81+
In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following
82+
83+
```
84+
$ cf create-user-provided-service luna -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private-key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"servers":[{"name":"test-host-1","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"},{"name":"test-host-2","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}],"groups":[{"label":"test-group-1","members":["test-serial-number-1","test-serial-number-2"]},{"label":"test-group-2","members":["test-serial-number-3","test-serial-number-4"]}]}'
85+
```
2886

2987
## Configuration
3088
For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to [Configuration and Extension][].

lib/java_buildpack/framework/luna_security_provider.rb

+80-28
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,9 @@ def compile
3232
@droplet.copy_resources
3333

3434
credentials = @application.services.find_service(FILTER)['credentials']
35-
write_host_certificate credentials
36-
write_client_certificate credentials
37-
write_client_private_key credentials
38-
write_host credentials
35+
write_client credentials['client']
36+
write_servers credentials['servers']
37+
write_configuration credentials['servers'], credentials['groups']
3938
end
4039

4140
# (see JavaBuildpack::Component::BaseComponent#release)
@@ -51,8 +50,7 @@ def release
5150

5251
# (see JavaBuildpack::Component::VersionedDependencyComponent#supports?)
5352
def supports?
54-
@application.services.one_service? FILTER, 'host', 'host-certificate', 'client-private-key',
55-
'client-certificate'
53+
@application.services.one_service? FILTER, 'client', 'servers', 'groups'
5654
end
5755

5856
private
@@ -66,11 +64,11 @@ def chrystoki
6664
end
6765

6866
def client_certificate
69-
@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/ClientNameCert.pem'
67+
@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-certificate.pem'
7068
end
7169

7270
def client_private_key
73-
@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/ClientNameKey.pem'
71+
@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-private-key.pem'
7472
end
7573

7674
def expand(file)
@@ -91,10 +89,6 @@ def ext_dirs
9189
"#{qualify_path(@droplet.sandbox + 'usr/safenet/lunaclient/jsp/lib', @droplet.root)}"
9290
end
9391

94-
def host_certificate
95-
@droplet.sandbox + 'usr/safenet/lunaclient/cert/server/CAFile.pem'
96-
end
97-
9892
def install_client(root)
9993
FileUtils.mkdir_p @droplet.sandbox
10094

@@ -112,37 +106,95 @@ def lunajsp(root)
112106
Dir[root + 'lunajsp-*.x86_64.rpm'][0]
113107
end
114108

109+
def padded_index(index)
110+
index.to_s.rjust(2, '0')
111+
end
112+
113+
def relative(path)
114+
path.relative_path_from(@droplet.root)
115+
end
116+
115117
def rpm2cpio
116118
Pathname.new(File.expand_path('../rpm2cpio.py', __FILE__))
117119
end
118120

119-
def write_client_certificate(credentials)
120-
FileUtils.mkdir_p client_certificate.parent
121-
client_certificate.open(File::CREAT | File::WRONLY) { |f| f.write credentials['client-certificate'] }
121+
def server_certificates
122+
@droplet.sandbox + 'usr/safenet/lunaclient/cert/server/server-certificates.pem'
122123
end
123124

124-
def write_client_private_key(credentials)
125+
def write_client(client)
126+
FileUtils.mkdir_p client_certificate.parent
127+
client_certificate.open(File::CREAT | File::WRONLY) do |f|
128+
f.write "#{client['certificate']}\n"
129+
end
130+
125131
FileUtils.mkdir_p client_private_key.parent
126-
client_private_key.open(File::CREAT | File::WRONLY) { |f| f.write credentials['client-private-key'] }
132+
client_private_key.open(File::CREAT | File::WRONLY) do |f|
133+
f.write "#{client['private-key']}\n"
134+
end
135+
end
136+
137+
def write_configuration(servers, groups)
138+
chrystoki.open(File::APPEND | File::WRONLY) do |f|
139+
write_prologue f
140+
servers.each_with_index { |server, index| write_server f, index, server }
141+
f.write <<EOS
142+
}
143+
144+
VirtualToken = {
145+
EOS
146+
groups.each_with_index { |group, index| write_group f, index, group }
147+
write_epilogue f
148+
end
127149
end
128150

129-
def write_host_certificate(credentials)
130-
FileUtils.mkdir_p host_certificate.parent
131-
host_certificate.open(File::CREAT | File::WRONLY) { |f| f.write credentials['host-certificate'] }
151+
def write_epilogue(f)
152+
f.write <<EOS
153+
}
154+
EOS
132155
end
133156

134-
def write_host(credentials)
135-
content = chrystoki.open(File::RDONLY) { |f| f.read }
136-
content.gsub!(/@@HOST@@/, credentials['host'])
157+
def write_group(f, index, group)
158+
padded_index = padded_index index
159+
160+
f.write " VirtualToken#{padded_index}Label = #{group['label']};\n"
161+
f.write " VirtualToken#{padded_index}SN = 1#{group['members'][0]};\n"
162+
f.write " VirtualToken#{padded_index}Members = #{group['members'].join(',')};\n"
163+
f.write "\n"
164+
end
165+
166+
def write_prologue(f)
167+
f.write <<EOS
168+
169+
LunaSA Client = {
170+
HAOnly = 1;
171+
NetClient = 1;
172+
173+
ClientCertFile = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-certificate.pem')};
174+
ClientPrivKeyFile = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-private-key.pem')};
175+
HtlDir = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/htl')};
176+
ServerCAFile = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/server/server-certificates.pem')};
177+
SSLConfigFile = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/bin/openssl.cnf')};
137178
138-
chrystoki.open(File::CREAT | File::WRONLY) do |f|
139-
f.truncate 0
140-
f.write content
141-
f.sync
179+
EOS
180+
end
181+
182+
def write_server(f, index, server)
183+
padded_index = padded_index index
184+
185+
f.write " ServerName#{padded_index} = #{server['name']};\n"
186+
f.write " ServerPort#{padded_index} = 1792;\n"
187+
f.write " ServerHtl#{padded_index} = 0;\n"
188+
f.write "\n"
189+
end
190+
191+
def write_servers(servers)
192+
FileUtils.mkdir_p server_certificates.parent
193+
server_certificates.open(File::CREAT | File::WRONLY) do |f|
194+
servers.each { |server| f.write "#{server['certificate']}\n" }
142195
end
143196
end
144197

145198
end
146-
147199
end
148200
end

resources/luna_security_provider/Chrystoki.conf

+10-21
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,21 @@
11
Chrystoki2 = {
2-
LibUNIX = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
3-
LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
2+
LibUNIX = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
3+
LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
44
}
55

66
Luna = {
7-
DefaultTimeOut = 500000;
8-
PEDTimeout1 = 100000;
9-
PEDTimeout2 = 100000;
10-
PEDTimeout3 = 10000;
11-
KeypairGenTimeOut = 2700000;
12-
CloningCommandTimeOut = 300000;
7+
DefaultTimeOut = 500000;
8+
PEDTimeout1 = 100000;
9+
PEDTimeout2 = 100000;
10+
PEDTimeout3 = 10000;
11+
KeypairGenTimeOut = 2700000;
12+
CloningCommandTimeOut = 300000;
1313
}
1414

1515
CardReader = {
1616
RemoteCommand = 1;
1717
}
18-
LunaSA Client = {
19-
ReceiveTimeout = 20000;
20-
SSLConfigFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin/openssl.cnf;
21-
ClientPrivKeyFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/ClientNameKey.pem;
22-
ClientCertFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/ClientNameCert.pem;
23-
ServerCAFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/server/CAFile.pem;
24-
NetClient = 1;
25-
HtlDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/htl/;
26-
ServerName00 = @@HOST@@;
27-
ServerPort00 = 1792;
28-
ServerHtl00 = 0;
29-
}
18+
3019
Misc = {
31-
ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
20+
ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
3221
}

spec/fixtures/framework_luna_security_provider/Chrystoki.conf

+52
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
Chrystoki2 = {
2+
LibUNIX = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
3+
LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
4+
}
5+
6+
Luna = {
7+
DefaultTimeOut = 500000;
8+
PEDTimeout1 = 100000;
9+
PEDTimeout2 = 100000;
10+
PEDTimeout3 = 10000;
11+
KeypairGenTimeOut = 2700000;
12+
CloningCommandTimeOut = 300000;
13+
}
14+
15+
CardReader = {
16+
RemoteCommand = 1;
17+
}
18+
19+
Misc = {
20+
ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
21+
}
22+
23+
LunaSA Client = {
24+
HAOnly = 1;
25+
NetClient = 1;
26+
27+
ClientCertFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/client-certificate.pem;
28+
ClientPrivKeyFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/client-private-key.pem;
29+
HtlDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/htl;
30+
ServerCAFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/server/server-certificates.pem;
31+
SSLConfigFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin/openssl.cnf;
32+
33+
ServerName00 = test-server-1;
34+
ServerPort00 = 1792;
35+
ServerHtl00 = 0;
36+
37+
ServerName01 = test-server-2;
38+
ServerPort01 = 1792;
39+
ServerHtl01 = 0;
40+
41+
}
42+
43+
VirtualToken = {
44+
VirtualToken00Label = test-group-1;
45+
VirtualToken00SN = 1test-group-1-member-1;
46+
VirtualToken00Members = test-group-1-member-1,test-group-1-member-2;
47+
48+
VirtualToken01Label = test-group-2;
49+
VirtualToken01SN = 1test-group-2-member-1;
50+
VirtualToken01Members = test-group-2-member-1,test-group-2-member-2;
51+
52+
}

spec/fixtures/framework_luna_security_provider/client-certificate.pem

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
-----BEGIN CERTIFICATE-----
2+
test-client-cert
3+
-----END CERTIFICATE-----

spec/fixtures/framework_luna_security_provider/client-private-key.pem

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
-----BEGIN RSA PRIVATE KEY-----
2+
test-client-private-key
3+
-----END RSA PRIVATE KEY-----

spec/fixtures/framework_luna_security_provider/server-certificates.pem

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
-----BEGIN CERTIFICATE-----
2+
test-server-1-cert
3+
-----END CERTIFICATE-----
4+
-----BEGIN CERTIFICATE-----
5+
test-server-2-cert
6+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)