Merge pull request #132 from hmcts/fix/fix-certs

srivanimuddineni · web-flow · commit 2980b2118133 · 2026-01-15T08:52:13.000Z
fix: add startup script to import certs in /etc/certs into java keystore
diff --git a/.github/workflows/ci-build-publish.yml b/.github/workflows/ci-build-publish.yml
@@ -120,9 +120,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }}
           AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }}
-          AMP_BACKEND_URL: ${{ secrets.AMP_BACKEND_URL }}
-          CP_BACKEND_URL: ${{ secrets.CP_BACKEND_URL }}
-          CJSCPPUID: ${{ secrets.CJSCPPUID }}
           ENVIRONMENT: ${{ inputs.environment }}
         run: |
           echo "Active environment=$ENVIRONMENT"
@@ -142,10 +139,7 @@ jobs:
             -DGITHUB_ACTOR=${{ github.actor }} \
             -DGITHUB_TOKEN=$GITHUB_TOKEN \
             -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \
-            -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN \
-            -DAMP_BACKEND_URL=$AMP_BACKEND_URL \
-            -DCP_BACKEND_URL=$CP_BACKEND_URL \
-            -DCJSCPPUID=$CJSCPPUID 
+            -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN
 
   Build-Docker:
     needs: [ Provider-Deploy, Build, Artefact-Version ]
@@ -184,9 +178,6 @@ jobs:
           build-args: |
             BASE_IMAGE=eclipse-temurin:21
             JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar
-            AMP_BACKEND_URL=${{ secrets.AMP_BACKEND_URL }}
-            CP_BACKEND_URL=${{ secrets.CP_BACKEND_URL }}
-            CJSCPPUID=${{ secrets.CJSCPPUID }}
 
   Deploy:
     needs: [ Provider-Deploy, Build, Artefact-Version ]
diff --git a/Dockerfile b/Dockerfile
@@ -1,40 +1,18 @@
-# ---- Base image (default fallback) ----
-ARG BASE_IMAGE
-FROM ${BASE_IMAGE:-eclipse-temurin:21}
+FROM eclipse-temurin:21
 
-# ---- Runtime arguments ----
-ARG JAR_FILENAME
-ARG JAR_FILE_PATH
-ARG AMP_BACKEND_URL
-ARG CP_BACKEND_URL
-ARG CJSCPPUID
-
-ENV JAR_FILENAME=${JAR_FILENAME:-app.jar}
-ENV JAR_FILE_PATH=${JAR_FILE_PATH:-build/libs}
-ENV JAR_FULL_PATH=$JAR_FILE_PATH/$JAR_FILENAME
-
-ENV AMP_BACKEND_URL=$AMP_BACKEND_URL
-ENV CP_BACKEND_URL=$CP_BACKEND_URL
-ENV CJSCPPUID=$CJSCPPUID
-
-
-# ---- Set runtime ENV for Spring Boot to bind port
-ARG SERVER_PORT
-ENV SERVER_PORT=${SERVER_PORT:-4550}
+WORKDIR /app
 
 # ---- Dependencies ----
 RUN apt-get update \
     && apt-get install -y curl \
     && rm -rf /var/lib/apt/lists/*
 
 # ---- Application files ----
-COPY $JAR_FULL_PATH /opt/app/app.jar
-COPY lib/applicationinsights.json /opt/app/
-
-# ---- Permissions ----
-RUN chmod 755 /opt/app/app.jar
+COPY docker/* /app/
+COPY build/libs/*.jar /app/
+COPY lib/applicationinsights.json /app/
 
 # ---- Runtime ----
 EXPOSE 4550
 
-CMD ["java", "-Dcom.sun.net.ssl.checkRevocation=false", "-jar", "/opt/app/app.jar"]
+ENTRYPOINT ["/bin/sh","./startup.sh"]
diff --git a/docker/README-certs.md b/docker/README-certs.md
@@ -0,0 +1,11 @@
+# Some useful keytool commands
+#
+Ignore warning "Warning: use -cacerts option to access cacerts keystore"
+Think the finger print for cpp-nonline is  A0:AF:DB:4F:...:CA:DA:14:C6
+```
+keytool -list -keystore $KEYSTORE -storepass changeit
+keytool -list -keystore $KEYSTORE -storepass changeit | grep "A0:AF:DB"
+keytool -delete -keystore $KEYSTORE -storepass changeit -alias localcert1
+keytool -delete -keystore $KEYSTORE -storepass changeit -alias mykey
+```
+
diff --git a/docker/startup.sh b/docker/startup.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env sh
+# Script to add ssl trust certs into the current truststore / keystore before we start our spring boot app
+# We use self signed certificates in our dev and test environments so we need to add these to our chain of trust
+# The kubernetes startup will load any self signed certificates into /etc/certs
+# We load any certs found in the /etc/certs into the default keystore
+#
+logmsg() {
+    SCRIPTNAME=$(basename $0)
+    echo "$SCRIPTNAME : $1"
+}
+
+logmsg "running and loading certificates ..."
+export KEYSTORE="$JAVA_HOME/lib/security/cacerts"
+if [ -z "$CERTS_DIR" ]; then
+    logmsg "Warning - expects \$CERTS_DIR to be set. i.e. export CERTS_DIR="/etc/certs
+    logmsg "Defaulting to /etc/certs"
+    export CERTS_DIR="/etc/certs"
+fi
+
+if [ ! -f "$KEYSTORE" ]; then
+    logmsg "Error - expects keystore to already exist"
+    exit 1
+fi
+
+export count=1
+logmsg "Loading certificates from $CERTS_DIR into keystore $KEYSTORE"
+for FILE in $(ls $CERTS_DIR)
+do
+    alias="mojcert$count"
+    logmsg "Adding $CERTS_DIR/$FILE to keystore with alias $alias"
+    keytool -importcert -file $CERTS_DIR/$FILE -keystore $KEYSTORE -storepass changeit -alias $alias -noprompt
+    count=$((count+1))
+done
+
+keytool -list -keystore $KEYSTORE -storepass changeit | grep "Your keystore contains"
+
+export LOCALJARFILE=$(ls ./build/libs/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
+export DOCKERJARFILE=$(ls /app/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
+if [ -f "$DOCKERJARFILE" ]; then
+    logmsg "Running docker java jarfile $DOCKERJARFILE"
+    java -jar $DOCKERJARFILE
+elif [ -f "$LOCALJARFILE" ]; then
+    logmsg "Running local java jarfile $LOCALJARFILE"
+    java -jar $LOCALJARFILE
+else
+    logmsg "ERROR - No jarfile found. Unable to start application"
+fi
diff --git a/gradle/test.gradle b/gradle/test.gradle
@@ -1,6 +1,5 @@
 tasks.named('test') {
   useJUnitPlatform {
-    excludeTags 'pact'
   }
   systemProperty 'API_SPEC_VERSION', project.version
   failFast = true
diff --git a/src/main/java/uk/gov/hmcts/cp/repositories/CourtScheduleClientImpl.java b/src/main/java/uk/gov/hmcts/cp/repositories/CourtScheduleClientImpl.java
@@ -4,18 +4,18 @@
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.encoder.Encode;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Primary;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.util.UriComponentsBuilder;
 import uk.gov.hmcts.cp.domain.HearingResponse;
 import uk.gov.hmcts.cp.domain.HearingResponse.HearingSchedule.Judiciary;
-
-import uk.gov.hmcts.cp.openapi.model.Hearing;
+import uk.gov.hmcts.cp.openapi.model.CourtSchedule;
 import uk.gov.hmcts.cp.openapi.model.CourtScheduleResponse;
 import uk.gov.hmcts.cp.openapi.model.CourtSitting;
-import uk.gov.hmcts.cp.openapi.model.CourtSchedule;
+import uk.gov.hmcts.cp.openapi.model.Hearing;
 
 import java.io.IOException;
 import java.net.URI;
@@ -62,10 +62,12 @@ public CourtScheduleResponse getCourtScheduleByCaseId(final String caseId) {
     }
 
     private List<Hearing> getHearings(final String caseId) {
+        final String url = buildUrl(caseId);
+        log.info("Getting hearings from {}", Encode.forJava(url));
         List<Hearing> hearingSchedule = Collections.emptyList();
         try {
             final HttpRequest request = HttpRequest.newBuilder()
-                    .uri(new URI(buildUrl(caseId)))
+                    .uri(new URI(Encode.forJava(url)))
                     .GET()
                     .header("Accept", "application/vnd.listing.search.hearings+json")
                     .header("CJSCPPUID", getCjscppuid())
diff --git a/src/main/java/uk/gov/hmcts/cp/services/CaseUrnMapperService.java b/src/main/java/uk/gov/hmcts/cp/services/CaseUrnMapperService.java
@@ -4,23 +4,21 @@
 import lombok.NonNull;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.encoder.Encode;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Service;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.util.UriComponentsBuilder;
 import uk.gov.hmcts.cp.domain.CaseMapperResponse;
 
-import org.springframework.http.HttpEntity;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.MediaType;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.HttpStatus;
-import org.owasp.encoder.Encode;
-
-
 
 @Service
 @RequiredArgsConstructor
@@ -39,9 +37,11 @@ public class CaseUrnMapperService {
 
     public String getCaseId(final String caseUrn) {
         final String sanitizedCaseUrn = Encode.forJava(caseUrn);
+        final String url = getCaseIdUrl(caseUrn);
+        log.info("Getting caseId from {}", url);
         try {
             final ResponseEntity<CaseMapperResponse> responseEntity = restTemplate.exchange(
-                    getCaseIdUrl(caseUrn),
+                    url,
                     HttpMethod.GET,
                     getRequestEntity(),
                     CaseMapperResponse.class

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`tasks.named('test') {`
`2`	`2`	`useJUnitPlatform {`
`3`		`- excludeTags 'pact'`
`4`	`3`	`}`
`5`	`4`	`systemProperty 'API_SPEC_VERSION', project.version`
`6`	`5`	`failFast = true`