Merge 104557654-luna-ha to master

nebhale · nebhale · commit 378f420eb613 · 2015-10-05T15:42:22.000-07:00
[Completes #104557654]
diff --git a/docs/framework-luna_security_provider.md b/docs/framework-luna_security_provider.md
@@ -19,12 +19,70 @@ When binding to the Luna Security Provider using a user-provided service, it mus
 
 | Name | Description
 | ---- | -----------
-| `host` | The controller host name
-| `host-certificate` | A PEM encoded host certificate
-| `client-private-key` | A PEM encoded client private key
-| `client-certificate` | A PEM encoded client certificate
+| `client` | A hash containing client configuration
+| `servers` | An array of hashes containing server configuration
+| `groups` | An array of hashes containing group configuration
 
-To provide more complex values such as the PEM certificates, using the interactive mode when creating a user-provided service will manage the character escaping automatically.
+#### Client Configuration
+| Name | Description
+| ---- | -----------
+| `certificate` | A PEM encoded client certificate
+| `private-key` | A PEM encoded client private key
+
+#### Server Configuration
+| Name | Description
+| ---- | -----------
+| `certificate` | A PEM encoded server certificate
+| `name` | A host name or address
+
+#### Group Configuration
+| Name | Description
+| ---- | -----------
+| `label` | The label for the group
+| `members` | An array of group member serial numbers
+
+### Example Credentials Payload
+```
+{
+  "client": {
+    "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
+    "private-key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+  },
+  "servers": [
+    {
+      "name": "test-host-1",
+      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    },
+    {
+      "name": "test-host-2",
+      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    }
+  ],
+  "groups": [
+    {
+      "label": "test-group-1",
+      "members": [
+        "test-serial-number-1",
+        "test-serial-number-2"
+      ]
+    },
+    {
+      "label": "test-group-2",
+      "members": [
+        "test-serial-number-3",
+        "test-serial-number-4"
+      ]
+    }
+  ]
+}
+```
+
+### Creating Credential Payload
+In order to create the credentials payload, you should collapse the JSON payload to a single line and set it like the following
+
+```
+$ cf create-user-provided-service luna -p '{"client":{"certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----","private-key":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"},"servers":[{"name":"test-host-1","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"},{"name":"test-host-2","certificate":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}],"groups":[{"label":"test-group-1","members":["test-serial-number-1","test-serial-number-2"]},{"label":"test-group-2","members":["test-serial-number-3","test-serial-number-4"]}]}'
+```
 
 ## Configuration
 For general information on configuring the buildpack, including how to specify configuration values through environment variables, refer to [Configuration and Extension][].
diff --git a/lib/java_buildpack/framework/luna_security_provider.rb b/lib/java_buildpack/framework/luna_security_provider.rb
@@ -32,10 +32,9 @@ def compile
         @droplet.copy_resources
 
         credentials = @application.services.find_service(FILTER)['credentials']
-        write_host_certificate credentials
-        write_client_certificate credentials
-        write_client_private_key credentials
-        write_host credentials
+        write_client credentials['client']
+        write_servers credentials['servers']
+        write_configuration credentials['servers'], credentials['groups']
       end
 
       # (see JavaBuildpack::Component::BaseComponent#release)
@@ -51,8 +50,7 @@ def release
 
       # (see JavaBuildpack::Component::VersionedDependencyComponent#supports?)
       def supports?
-        @application.services.one_service? FILTER, 'host', 'host-certificate', 'client-private-key',
-                                           'client-certificate'
+        @application.services.one_service? FILTER, 'client', 'servers', 'groups'
       end
 
       private
@@ -66,11 +64,11 @@ def chrystoki
       end
 
       def client_certificate
-        @droplet.sandbox + 'usr/safenet/lunaclient/cert/client/ClientNameCert.pem'
+        @droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-certificate.pem'
       end
 
       def client_private_key
-        @droplet.sandbox + 'usr/safenet/lunaclient/cert/client/ClientNameKey.pem'
+        @droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-private-key.pem'
       end
 
       def expand(file)
@@ -91,10 +89,6 @@ def ext_dirs
         "#{qualify_path(@droplet.sandbox + 'usr/safenet/lunaclient/jsp/lib', @droplet.root)}"
       end
 
-      def host_certificate
-        @droplet.sandbox + 'usr/safenet/lunaclient/cert/server/CAFile.pem'
-      end
-
       def install_client(root)
         FileUtils.mkdir_p @droplet.sandbox
 
@@ -112,37 +106,95 @@ def lunajsp(root)
         Dir[root + 'lunajsp-*.x86_64.rpm'][0]
       end
 
+      def padded_index(index)
+        index.to_s.rjust(2, '0')
+      end
+
+      def relative(path)
+        path.relative_path_from(@droplet.root)
+      end
+
       def rpm2cpio
         Pathname.new(File.expand_path('../rpm2cpio.py', __FILE__))
       end
 
-      def write_client_certificate(credentials)
-        FileUtils.mkdir_p client_certificate.parent
-        client_certificate.open(File::CREAT | File::WRONLY) { |f| f.write credentials['client-certificate'] }
+      def server_certificates
+        @droplet.sandbox + 'usr/safenet/lunaclient/cert/server/server-certificates.pem'
       end
 
-      def write_client_private_key(credentials)
+      def write_client(client)
+        FileUtils.mkdir_p client_certificate.parent
+        client_certificate.open(File::CREAT | File::WRONLY) do |f|
+          f.write "#{client['certificate']}\n"
+        end
+
         FileUtils.mkdir_p client_private_key.parent
-        client_private_key.open(File::CREAT | File::WRONLY) { |f| f.write credentials['client-private-key'] }
+        client_private_key.open(File::CREAT | File::WRONLY) do |f|
+          f.write "#{client['private-key']}\n"
+        end
+      end
+
+      def write_configuration(servers, groups)
+        chrystoki.open(File::APPEND | File::WRONLY) do |f|
+          write_prologue f
+          servers.each_with_index { |server, index| write_server f, index, server }
+          f.write <<EOS
+}
+
+VirtualToken = {
+EOS
+          groups.each_with_index { |group, index| write_group f, index, group }
+          write_epilogue f
+        end
       end
 
-      def write_host_certificate(credentials)
-        FileUtils.mkdir_p host_certificate.parent
-        host_certificate.open(File::CREAT | File::WRONLY) { |f| f.write credentials['host-certificate'] }
+      def write_epilogue(f)
+        f.write <<EOS
+}
+EOS
       end
 
-      def write_host(credentials)
-        content = chrystoki.open(File::RDONLY) { |f| f.read }
-        content.gsub!(/@@HOST@@/, credentials['host'])
+      def write_group(f, index, group)
+        padded_index = padded_index index
+
+        f.write "  VirtualToken#{padded_index}Label   = #{group['label']};\n"
+        f.write "  VirtualToken#{padded_index}SN      = 1#{group['members'][0]};\n"
+        f.write "  VirtualToken#{padded_index}Members = #{group['members'].join(',')};\n"
+        f.write "\n"
+      end
+
+      def write_prologue(f)
+        f.write <<EOS
+
+LunaSA Client = {
+  HAOnly    = 1;
+  NetClient = 1;
+
+  ClientCertFile    = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-certificate.pem')};
+  ClientPrivKeyFile = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/client/client-private-key.pem')};
+  HtlDir            = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/htl')};
+  ServerCAFile      = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/cert/server/server-certificates.pem')};
+  SSLConfigFile     = #{relative(@droplet.sandbox + 'usr/safenet/lunaclient/bin/openssl.cnf')};
 
-        chrystoki.open(File::CREAT | File::WRONLY) do |f|
-          f.truncate 0
-          f.write content
-          f.sync
+EOS
+      end
+
+      def write_server(f, index, server)
+        padded_index = padded_index index
+
+        f.write "  ServerName#{padded_index} = #{server['name']};\n"
+        f.write "  ServerPort#{padded_index} = 1792;\n"
+        f.write "  ServerHtl#{padded_index}  = 0;\n"
+        f.write "\n"
+      end
+
+      def write_servers(servers)
+        FileUtils.mkdir_p server_certificates.parent
+        server_certificates.open(File::CREAT | File::WRONLY) do |f|
+          servers.each { |server| f.write "#{server['certificate']}\n" }
         end
       end
 
     end
-
   end
 end
diff --git a/resources/luna_security_provider/Chrystoki.conf b/resources/luna_security_provider/Chrystoki.conf
@@ -1,32 +1,21 @@
 Chrystoki2 = {
-   LibUNIX = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
-   LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
+  LibUNIX   = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
+  LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
 }
 
 Luna = {
-  DefaultTimeOut = 500000;
-  PEDTimeout1 = 100000;
-  PEDTimeout2 = 100000;
-  PEDTimeout3 = 10000;
-  KeypairGenTimeOut = 2700000;
-  CloningCommandTimeOut = 300000;
+  DefaultTimeOut        =  500000;
+  PEDTimeout1           =  100000;
+  PEDTimeout2           =  100000;
+  PEDTimeout3           =   10000;
+  KeypairGenTimeOut     = 2700000;
+  CloningCommandTimeOut =  300000;
 }
 
 CardReader = {
   RemoteCommand = 1;
 }
-LunaSA Client = {
-   ReceiveTimeout = 20000;
-   SSLConfigFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin/openssl.cnf;
-   ClientPrivKeyFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/ClientNameKey.pem;
-   ClientCertFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/ClientNameCert.pem;
-   ServerCAFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/server/CAFile.pem;
-   NetClient = 1;
-   HtlDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/htl/;
-   ServerName00 = @@HOST@@;
-   ServerPort00 = 1792;
-   ServerHtl00 = 0;
-}
+
 Misc = {
-   ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
+  ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
 }
diff --git a/spec/fixtures/framework_luna_security_provider/Chrystoki.conf b/spec/fixtures/framework_luna_security_provider/Chrystoki.conf
@@ -0,0 +1,52 @@
+Chrystoki2 = {
+  LibUNIX   = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2.so;
+  LibUNIX64 = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/lib/libCryptoki2_64.so;
+}
+
+Luna = {
+  DefaultTimeOut        =  500000;
+  PEDTimeout1           =  100000;
+  PEDTimeout2           =  100000;
+  PEDTimeout3           =   10000;
+  KeypairGenTimeOut     = 2700000;
+  CloningCommandTimeOut =  300000;
+}
+
+CardReader = {
+  RemoteCommand = 1;
+}
+
+Misc = {
+  ToolsDir = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin;
+}
+
+LunaSA Client = {
+  HAOnly    = 1;
+  NetClient = 1;
+
+  ClientCertFile    = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/client-certificate.pem;
+  ClientPrivKeyFile = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/client/client-private-key.pem;
+  HtlDir            = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/htl;
+  ServerCAFile      = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/cert/server/server-certificates.pem;
+  SSLConfigFile     = .java-buildpack/luna_security_provider/usr/safenet/lunaclient/bin/openssl.cnf;
+
+  ServerName00 = test-server-1;
+  ServerPort00 = 1792;
+  ServerHtl00  = 0;
+
+  ServerName01 = test-server-2;
+  ServerPort01 = 1792;
+  ServerHtl01  = 0;
+
+}
+
+VirtualToken = {
+  VirtualToken00Label   = test-group-1;
+  VirtualToken00SN      = 1test-group-1-member-1;
+  VirtualToken00Members = test-group-1-member-1,test-group-1-member-2;
+
+  VirtualToken01Label   = test-group-2;
+  VirtualToken01SN      = 1test-group-2-member-1;
+  VirtualToken01Members = test-group-2-member-1,test-group-2-member-2;
+
+}
diff --git a/spec/fixtures/framework_luna_security_provider/client-certificate.pem b/spec/fixtures/framework_luna_security_provider/client-certificate.pem
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+test-client-cert
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/framework_luna_security_provider/client-private-key.pem b/spec/fixtures/framework_luna_security_provider/client-private-key.pem
@@ -0,0 +1,3 @@
+-----BEGIN RSA PRIVATE KEY-----
+test-client-private-key
+-----END RSA PRIVATE KEY-----
diff --git a/spec/fixtures/framework_luna_security_provider/server-certificates.pem b/spec/fixtures/framework_luna_security_provider/server-certificates.pem
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+test-server-1-cert
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+test-server-2-cert
+-----END CERTIFICATE-----
diff --git a/spec/java_buildpack/framework/luna_security_provider_spec.rb b/spec/java_buildpack/framework/luna_security_provider_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-----BEGIN CERTIFICATE-----`
	`2`	`+test-client-cert`
	`3`	`+-----END CERTIFICATE-----`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-----BEGIN RSA PRIVATE KEY-----`
	`2`	`+test-client-private-key`
	`3`	`+-----END RSA PRIVATE KEY-----`