Support remote Docker daemon for building images
Prior to this commit, the build plugin goal/task for building images required a locally running Docker daemon that was accessed via a non-networked socket or pipe. This commit adds support for remote Docker daemons at a location specified by the environment variable `DOCKER_HOST`. Additional environment variables `DOCKER_TLS_VERIFY` and `DOCKER_CERT_PATH` are recognized for configuring a secure TLS connection to the daemon. Fixes gh-20538pull/20580/head
parent
fd05bc2a4a
commit
ed6e54218d
@ -0,0 +1,74 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.httpclient;
|
||||
|
||||
import org.apache.http.HttpHost;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.impl.client.CloseableHttpClient;
|
||||
|
||||
/**
|
||||
* A {@code DockerHttpClientConnection} that determines an appropriate connection to a
|
||||
* Docker host by detecting whether a remote Docker host is configured or if a default
|
||||
* local connection should be used.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
* @since 2.3.0
|
||||
*/
|
||||
public final class DelegatingDockerHttpClientConnection implements DockerHttpClientConnection {
|
||||
|
||||
private static final RemoteEnvironmentDockerHttpClientConnection REMOTE_FACTORY = new RemoteEnvironmentDockerHttpClientConnection();
|
||||
|
||||
private static final LocalDockerHttpClientConnection LOCAL_FACTORY = new LocalDockerHttpClientConnection();
|
||||
|
||||
private final DockerHttpClientConnection delegate;
|
||||
|
||||
private DelegatingDockerHttpClientConnection(DockerHttpClientConnection delegate) {
|
||||
this.delegate = delegate;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpHost} describing the Docker host connection.
|
||||
* @return the {@code HttpHost}
|
||||
*/
|
||||
public HttpHost getHttpHost() {
|
||||
return this.delegate.getHttpHost();
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpClient} that can be used to communicate with the Docker host.
|
||||
* @return the {@code HttpClient}
|
||||
*/
|
||||
public CloseableHttpClient getHttpClient() {
|
||||
return this.delegate.getHttpClient();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a {@link DockerHttpClientConnection} by detecting the connection
|
||||
* configuration.
|
||||
* @return the {@code DockerHttpClientConnection}
|
||||
*/
|
||||
public static DockerHttpClientConnection create() {
|
||||
if (REMOTE_FACTORY.accept()) {
|
||||
return new DelegatingDockerHttpClientConnection(REMOTE_FACTORY);
|
||||
}
|
||||
if (LOCAL_FACTORY.accept()) {
|
||||
return new DelegatingDockerHttpClientConnection(LOCAL_FACTORY);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,43 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.httpclient;
|
||||
|
||||
import org.apache.http.HttpHost;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.impl.client.CloseableHttpClient;
|
||||
|
||||
/**
|
||||
* Describes a connection to a Docker host.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
* @since 2.3.0
|
||||
*/
|
||||
public interface DockerHttpClientConnection {
|
||||
|
||||
/**
|
||||
* Create an {@link HttpHost} describing the Docker host connection.
|
||||
* @return the {@code HttpHost}
|
||||
*/
|
||||
HttpHost getHttpHost();
|
||||
|
||||
/**
|
||||
* Create an {@link HttpClient} that can be used to communicate with the Docker host.
|
||||
* @return the {@code HttpClient}
|
||||
*/
|
||||
CloseableHttpClient getHttpClient();
|
||||
|
||||
}
|
5
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerConnectionSocketFactory.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerConnectionSocketFactory.java
5
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerConnectionSocketFactory.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerConnectionSocketFactory.java
9
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerDnsResolver.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerDnsResolver.java
9
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerDnsResolver.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerDnsResolver.java
@ -0,0 +1,75 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.httpclient;
|
||||
|
||||
import org.apache.http.HttpHost;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.impl.client.CloseableHttpClient;
|
||||
import org.apache.http.impl.client.HttpClientBuilder;
|
||||
import org.apache.http.impl.client.HttpClients;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* A {@link DockerHttpClientConnection} that describes a connection to a local Docker
|
||||
* host.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
* @since 2.3.0
|
||||
*/
|
||||
public class LocalDockerHttpClientConnection implements DockerHttpClientConnection {
|
||||
|
||||
private HttpHost httpHost;
|
||||
|
||||
private CloseableHttpClient httpClient;
|
||||
|
||||
/**
|
||||
* Indicate that this factory can be used as a default.
|
||||
* @return {@code true} always
|
||||
*/
|
||||
public boolean accept() {
|
||||
this.httpHost = HttpHost.create("docker://localhost");
|
||||
|
||||
HttpClientBuilder builder = HttpClients.custom();
|
||||
builder.setConnectionManager(new LocalDockerHttpClientConnectionManager());
|
||||
builder.setSchemePortResolver(new LocalDockerSchemePortResolver());
|
||||
this.httpClient = builder.build();
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpHost} describing a local Docker host connection.
|
||||
* @return the {@code HttpHost}
|
||||
*/
|
||||
@Override
|
||||
public HttpHost getHttpHost() {
|
||||
Assert.state(this.httpHost != null, "DockerHttpClientConnection was not properly initialized");
|
||||
return this.httpHost;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpClient} that can be used to communicate with a local Docker host.
|
||||
* @return the {@code HttpClient}
|
||||
*/
|
||||
@Override
|
||||
public CloseableHttpClient getHttpClient() {
|
||||
Assert.state(this.httpClient != null, "DockerHttpClientConnection was not properly initialized");
|
||||
return this.httpClient;
|
||||
}
|
||||
|
||||
}
|
11
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerHttpClientConnectionManager.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerHttpClientConnectionManager.java
11
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerHttpClientConnectionManager.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerHttpClientConnectionManager.java
5
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerSchemePortResolver.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerSchemePortResolver.java
5
spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/DockerSchemePortResolver.java → spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/httpclient/LocalDockerSchemePortResolver.java
@ -0,0 +1,167 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.httpclient;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
|
||||
import org.apache.http.HttpHost;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
|
||||
import org.apache.http.impl.client.CloseableHttpClient;
|
||||
import org.apache.http.impl.client.HttpClientBuilder;
|
||||
import org.apache.http.impl.client.HttpClients;
|
||||
|
||||
import org.springframework.boot.buildpack.platform.docker.ssl.SslContextFactory;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* A {@link DockerHttpClientConnection} that describes a connection to a remote Docker
|
||||
* host specified by environment variables.
|
||||
*
|
||||
* This implementation looks for the following environment variables:
|
||||
*
|
||||
* <p>
|
||||
* <ul>
|
||||
* <li>{@code DOCKER_HOST} - the URL to a Docker daemon host, such as
|
||||
* {@code tcp://localhost:2376}</li>
|
||||
* <li>{@code DOCKER_TLS_VERIFY} - set to {@code 1} to enable secure connection to the
|
||||
* Docker host via TLS (optional)</li>
|
||||
* <li>{@code DOCKER_CERT_PATH} - the path to certificate and key files needed for TLS
|
||||
* verification (required if {@code DOCKER_TLS_VERIFY=1})</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author Scott Frederick
|
||||
* @since 2.3.0
|
||||
*/
|
||||
public class RemoteEnvironmentDockerHttpClientConnection implements DockerHttpClientConnection {
|
||||
|
||||
private static final String DOCKER_HOST_KEY = "DOCKER_HOST";
|
||||
|
||||
private static final String DOCKER_TLS_VERIFY_KEY = "DOCKER_TLS_VERIFY";
|
||||
|
||||
private static final String DOCKER_CERT_PATH_KEY = "DOCKER_CERT_PATH";
|
||||
|
||||
private final EnvironmentAccessor environment;
|
||||
|
||||
private final SslContextFactory sslContextFactory;
|
||||
|
||||
private HttpHost httpHost;
|
||||
|
||||
private CloseableHttpClient httpClient;
|
||||
|
||||
RemoteEnvironmentDockerHttpClientConnection() {
|
||||
this.environment = new SystemEnvironmentAccessor();
|
||||
this.sslContextFactory = new SslContextFactory();
|
||||
}
|
||||
|
||||
RemoteEnvironmentDockerHttpClientConnection(EnvironmentAccessor environmentAccessor,
|
||||
SslContextFactory sslContextFactory) {
|
||||
this.environment = environmentAccessor;
|
||||
this.sslContextFactory = sslContextFactory;
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicate whether this factory can create be used to create a connection.
|
||||
* @return {@code true} if the environment variable {@code DOCKER_HOST} is set,
|
||||
* {@code false} otherwise
|
||||
*/
|
||||
public boolean accept() {
|
||||
if (this.environment.getProperty("DOCKER_HOST") != null) {
|
||||
initHttpHost();
|
||||
initHttpClient();
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpHost} from the Docker host specified in the environment.
|
||||
* @return the {@code HttpHost}
|
||||
*/
|
||||
@Override
|
||||
public HttpHost getHttpHost() {
|
||||
Assert.state(this.httpHost != null, "DockerHttpClientConnection was not properly initialized");
|
||||
return this.httpHost;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get an {@link HttpClient} from the Docker connection information specified in the
|
||||
* environment.
|
||||
* @return the {@code HttpClient}
|
||||
*/
|
||||
@Override
|
||||
public CloseableHttpClient getHttpClient() {
|
||||
Assert.state(this.httpClient != null, "DockerHttpClientConnection was not properly initialized");
|
||||
return this.httpClient;
|
||||
}
|
||||
|
||||
private void initHttpHost() {
|
||||
String dockerHost = this.environment.getProperty(DOCKER_HOST_KEY);
|
||||
Assert.hasText(dockerHost, "DOCKER_HOST must be set");
|
||||
|
||||
this.httpHost = HttpHost.create(dockerHost);
|
||||
if ("tcp".equals(this.httpHost.getSchemeName())) {
|
||||
String scheme = (isSecure()) ? "https" : "http";
|
||||
this.httpHost = new HttpHost(this.httpHost.getHostName(), this.httpHost.getPort(), scheme);
|
||||
}
|
||||
}
|
||||
|
||||
private void initHttpClient() {
|
||||
HttpClientBuilder builder = HttpClients.custom();
|
||||
|
||||
if (isSecure()) {
|
||||
String certPath = this.environment.getProperty(DOCKER_CERT_PATH_KEY);
|
||||
Assert.hasText(certPath, DOCKER_TLS_VERIFY_KEY + " requires trust material location to be specified with "
|
||||
+ DOCKER_CERT_PATH_KEY);
|
||||
|
||||
SSLContext sslContext = this.sslContextFactory.forPath(certPath);
|
||||
SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
|
||||
|
||||
builder.setSSLSocketFactory(sslSocketFactory).setSSLContext(sslContext);
|
||||
}
|
||||
|
||||
this.httpClient = builder.build();
|
||||
}
|
||||
|
||||
private boolean isSecure() {
|
||||
String tlsVerify = this.environment.getProperty(DOCKER_TLS_VERIFY_KEY);
|
||||
if (tlsVerify != null) {
|
||||
try {
|
||||
return Integer.parseInt(tlsVerify) == 1;
|
||||
}
|
||||
catch (NumberFormatException ex) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
interface EnvironmentAccessor {
|
||||
|
||||
String getProperty(String key);
|
||||
|
||||
}
|
||||
|
||||
public static class SystemEnvironmentAccessor implements EnvironmentAccessor {
|
||||
|
||||
public String getProperty(String key) {
|
||||
return System.getenv(key);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,94 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.springframework.util.Base64Utils;
|
||||
|
||||
/**
|
||||
* Parser for X.509 certificates in PEM format.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
final class CertificateParser {
|
||||
|
||||
private static final Pattern CERTIFICATE_PATTERN = Pattern
|
||||
.compile("-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+" + // Header
|
||||
"([a-z0-9+/=\\r\\n]+)" + // Base64 text
|
||||
"-+END\\s+.*CERTIFICATE[^-]*-+", // Footer
|
||||
Pattern.CASE_INSENSITIVE);
|
||||
|
||||
private CertificateParser() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Load certificates from the specified file paths.
|
||||
* @param certPaths one or more paths to certificate files
|
||||
* @return certificates parsed from specified file paths
|
||||
*/
|
||||
static X509Certificate[] parse(Path... certPaths) {
|
||||
List<X509Certificate> certs = new ArrayList<>();
|
||||
for (Path certFile : certPaths) {
|
||||
certs.addAll(generateCertificates(certFile));
|
||||
}
|
||||
return certs.toArray(new X509Certificate[0]);
|
||||
}
|
||||
|
||||
private static List<X509Certificate> generateCertificates(Path certPath) {
|
||||
try {
|
||||
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
|
||||
List<X509Certificate> certs = new ArrayList<>();
|
||||
|
||||
byte[] certBytes = Files.readAllBytes(certPath);
|
||||
String certString = new String(certBytes, StandardCharsets.UTF_8);
|
||||
|
||||
Matcher matcher = CERTIFICATE_PATTERN.matcher(certString);
|
||||
|
||||
while (matcher.find()) {
|
||||
byte[] content = decodeContent(matcher.group(1));
|
||||
ByteArrayInputStream contentStream = new ByteArrayInputStream(content);
|
||||
while (contentStream.available() > 0) {
|
||||
certs.add((X509Certificate) certificateFactory.generateCertificate(contentStream));
|
||||
}
|
||||
}
|
||||
|
||||
return certs;
|
||||
}
|
||||
catch (CertificateException | IOException ex) {
|
||||
throw new IllegalStateException("Error reading certificate from file " + certPath + ": " + ex.getMessage(),
|
||||
ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static byte[] decodeContent(String content) {
|
||||
byte[] contentBytes = content.replaceAll("\r", "").replaceAll("\n", "").getBytes();
|
||||
return Base64Utils.decode(contentBytes);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,90 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
/**
|
||||
* Utility methods for creating Java trust material from key and certificate files.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
final class KeyStoreFactory {
|
||||
|
||||
private KeyStoreFactory() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new {@link KeyStore} populated with the certificate stored at the
|
||||
* specified file path and an optional private key.
|
||||
* @param certPath the path to the certificate authority file
|
||||
* @param keyPath the path to the private file
|
||||
* @param alias the alias to use for KeyStore entries
|
||||
* @return the {@code KeyStore}
|
||||
*/
|
||||
static KeyStore create(Path certPath, Path keyPath, String alias) {
|
||||
try {
|
||||
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
||||
keyStore.load(null);
|
||||
|
||||
X509Certificate[] certificates = CertificateParser.parse(certPath);
|
||||
|
||||
if (keyPath != null && Files.exists(keyPath)) {
|
||||
PrivateKey privateKey = PrivateKeyParser.parse(keyPath);
|
||||
addCertsToStore(keyStore, certificates, privateKey, alias);
|
||||
}
|
||||
else {
|
||||
addCertsToStore(keyStore, certificates, alias);
|
||||
}
|
||||
|
||||
return keyStore;
|
||||
}
|
||||
catch (GeneralSecurityException | IOException ex) {
|
||||
throw new IllegalStateException("Error creating KeyStore: " + ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static void addCertsToStore(KeyStore keyStore, X509Certificate[] certificates, PrivateKey privateKey,
|
||||
String alias) {
|
||||
try {
|
||||
keyStore.setKeyEntry(alias, privateKey, new char[] {}, certificates);
|
||||
}
|
||||
catch (KeyStoreException ex) {
|
||||
throw new IllegalStateException("Error adding certificates to KeyStore: " + ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static void addCertsToStore(KeyStore keyStore, X509Certificate[] certs, String alias) {
|
||||
try {
|
||||
for (int index = 0; index < certs.length; index++) {
|
||||
String indexedAlias = alias + "-" + index;
|
||||
keyStore.setCertificateEntry(indexedAlias, certs[index]);
|
||||
}
|
||||
}
|
||||
catch (KeyStoreException ex) {
|
||||
throw new IllegalStateException("Error adding certificates to KeyStore: " + ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,125 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.KeyFactory;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.spec.InvalidKeySpecException;
|
||||
import java.security.spec.PKCS8EncodedKeySpec;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.springframework.util.Base64Utils;
|
||||
|
||||
/**
|
||||
* Parser for PKCS private key files in PEM format.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
final class PrivateKeyParser {
|
||||
|
||||
private static final Pattern PKCS_1_KEY_PATTERN = Pattern
|
||||
.compile("-+BEGIN\\s+RSA\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + // Header
|
||||
"([a-z0-9+/=\\r\\n]+)" + // Base64 text
|
||||
"-+END\\s+RSA\\s+PRIVATE\\s+KEY[^-]*-+", // Footer
|
||||
Pattern.CASE_INSENSITIVE);
|
||||
|
||||
private static final Pattern PKCS_8_KEY_PATTERN = Pattern
|
||||
.compile("-+BEGIN\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + // Header
|
||||
"([a-z0-9+/=\\r\\n]+)" + // Base64 text
|
||||
"-+END\\s+PRIVATE\\s+KEY[^-]*-+", // Footer
|
||||
Pattern.CASE_INSENSITIVE);
|
||||
|
||||
private PrivateKeyParser() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Load a private key from the specified file paths.
|
||||
* @param keyPath the path to the private key file
|
||||
* @return private key from specified file path
|
||||
*/
|
||||
static PrivateKey parse(Path keyPath) {
|
||||
try {
|
||||
byte[] keyBytes = Files.readAllBytes(keyPath);
|
||||
String keyString = new String(keyBytes, StandardCharsets.UTF_8);
|
||||
|
||||
Matcher matcher = PKCS_1_KEY_PATTERN.matcher(keyString);
|
||||
if (matcher.find()) {
|
||||
return parsePkcs1PrivateKey(decodeContent(matcher.group(1)));
|
||||
}
|
||||
|
||||
matcher = PKCS_8_KEY_PATTERN.matcher(keyString);
|
||||
if (matcher.find()) {
|
||||
return parsePkcs8PrivateKey(decodeContent(matcher.group(1)));
|
||||
}
|
||||
|
||||
throw new IllegalStateException("Unrecognized private key format in " + keyPath);
|
||||
}
|
||||
catch (GeneralSecurityException | IOException ex) {
|
||||
throw new IllegalStateException("Error loading private key file " + keyPath, ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static byte[] decodeContent(String content) {
|
||||
byte[] contentBytes = content.replaceAll("\r", "").replaceAll("\n", "").getBytes();
|
||||
return Base64Utils.decode(contentBytes);
|
||||
}
|
||||
|
||||
private static PrivateKey parsePkcs1PrivateKey(byte[] privateKeyBytes) throws GeneralSecurityException {
|
||||
byte[] pkcs8Bytes = convertPkcs1ToPkcs8(privateKeyBytes);
|
||||
return parsePkcs8PrivateKey(pkcs8Bytes);
|
||||
}
|
||||
|
||||
private static PrivateKey parsePkcs8PrivateKey(byte[] privateKeyBytes) throws GeneralSecurityException {
|
||||
try {
|
||||
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
|
||||
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
|
||||
return keyFactory.generatePrivate(keySpec);
|
||||
}
|
||||
catch (InvalidKeySpecException ex) {
|
||||
throw new IllegalArgumentException("Unexpected key format", ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static byte[] convertPkcs1ToPkcs8(byte[] privateKeyBytes) {
|
||||
int pkcs1Length = privateKeyBytes.length;
|
||||
int totalLength = pkcs1Length + 22;
|
||||
byte[] pkcs8Header = new byte[] { 0x30, (byte) 0x82, (byte) ((totalLength >> 8) & 0xff),
|
||||
// Sequence + total length
|
||||
(byte) (totalLength & 0xff),
|
||||
// Integer (0)
|
||||
0x2, 0x1, 0x0,
|
||||
// Sequence: 1.2.840.113549.1.1.1, NULL
|
||||
0x30, 0xD, 0x6, 0x9, 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7, 0xD, 0x1, 0x1, 0x1, 0x5, 0x0,
|
||||
// Octet string + length
|
||||
0x4, (byte) 0x82, (byte) ((pkcs1Length >> 8) & 0xff), (byte) (pkcs1Length & 0xff) };
|
||||
return join(pkcs8Header, privateKeyBytes);
|
||||
}
|
||||
|
||||
private static byte[] join(byte[] byteArray1, byte[] byteArray2) {
|
||||
byte[] bytes = new byte[byteArray1.length + byteArray2.length];
|
||||
System.arraycopy(byteArray1, 0, bytes, 0, byteArray1.length);
|
||||
System.arraycopy(byteArray2, 0, bytes, byteArray1.length, byteArray2.length);
|
||||
return bytes;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,91 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.security.KeyStore;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
|
||||
/**
|
||||
* Builds an {@link SSLContext} for use with an HTTP connection.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
* @since 2.3.0
|
||||
*/
|
||||
public class SslContextFactory {
|
||||
|
||||
private static final String KEY_STORE_ALIAS = "spring-boot-docker";
|
||||
|
||||
public SslContextFactory() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an {@link SSLContext} from files in the specified directory.
|
||||
*
|
||||
* The directory must contain files with the names 'key.pem', 'cert.pem', and
|
||||
* 'ca.pem'.
|
||||
* @param certificatePath the path to a directory containing certificate and key files
|
||||
* @return the {@code SSLContext}
|
||||
*/
|
||||
public SSLContext forPath(String certificatePath) {
|
||||
|
||||
try {
|
||||
|
||||
Path keyPath = Paths.get(certificatePath, "key.pem");
|
||||
Path certPath = Paths.get(certificatePath, "cert.pem");
|
||||
Path certAuthorityPath = Paths.get(certificatePath, "ca.pem");
|
||||
Path certAuthorityKeyPath = Paths.get(certificatePath, "ca-key.pem");
|
||||
|
||||
verifyCertificateFiles(keyPath, certPath, certAuthorityPath);
|
||||
|
||||
KeyStore keyStore = KeyStoreFactory.create(certPath, keyPath, KEY_STORE_ALIAS);
|
||||
KeyManagerFactory keyManagerFactory = KeyManagerFactory
|
||||
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
|
||||
keyManagerFactory.init(keyStore, new char[] {});
|
||||
|
||||
KeyStore trustStore = KeyStoreFactory.create(certAuthorityPath, certAuthorityKeyPath, KEY_STORE_ALIAS);
|
||||
TrustManagerFactory trustManagerFactory = TrustManagerFactory
|
||||
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init(trustStore);
|
||||
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
|
||||
|
||||
return sslContext;
|
||||
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new RuntimeException(ex.getMessage(), ex);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private static void verifyCertificateFiles(Path... certificateFilePaths) {
|
||||
for (Path path : certificateFilePaths) {
|
||||
if (!Files.exists(path)) {
|
||||
throw new RuntimeException(
|
||||
"Certificate path must contain the files 'ca.pem', 'cert.pem', and 'key.pem'");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,102 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.httpclient;
|
||||
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
|
||||
import org.apache.http.HttpHost;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.boot.buildpack.platform.docker.httpclient.RemoteEnvironmentDockerHttpClientConnection.EnvironmentAccessor;
|
||||
import org.springframework.boot.buildpack.platform.docker.ssl.SslContextFactory;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
* Tests for {@link RemoteEnvironmentDockerHttpClientConnection}.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
class RemoteEnvironmentDockerHttpClientConnectionTests {
|
||||
|
||||
private EnvironmentAccessor environment;
|
||||
|
||||
private RemoteEnvironmentDockerHttpClientConnection connection;
|
||||
|
||||
private SslContextFactory sslContextFactory;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() {
|
||||
this.environment = mock(EnvironmentAccessor.class);
|
||||
this.sslContextFactory = mock(SslContextFactory.class);
|
||||
this.connection = new RemoteEnvironmentDockerHttpClientConnection(this.environment, this.sslContextFactory);
|
||||
}
|
||||
|
||||
@Test
|
||||
void notAcceptedWhenDockerHostNotSet() {
|
||||
assertThat(this.connection.accept()).isFalse();
|
||||
assertThatIllegalStateException().isThrownBy(() -> this.connection.getHttpHost());
|
||||
assertThatIllegalStateException().isThrownBy(() -> this.connection.getHttpClient());
|
||||
}
|
||||
|
||||
@Test
|
||||
void acceptedWhenDockerHostIsSet() {
|
||||
given(this.environment.getProperty("DOCKER_HOST")).willReturn("tcp://192.168.1.2:2376");
|
||||
assertThat(this.connection.accept()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void invalidTlsConfigurationThrowsException() {
|
||||
given(this.environment.getProperty("DOCKER_HOST")).willReturn("tcp://192.168.1.2:2376");
|
||||
given(this.environment.getProperty("DOCKER_TLS_VERIFY")).willReturn("1");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.connection.accept())
|
||||
.withMessageContaining("DOCKER_CERT_PATH");
|
||||
}
|
||||
|
||||
@Test
|
||||
void hostProtocolIsHttpWhenNotSecure() {
|
||||
given(this.environment.getProperty("DOCKER_HOST")).willReturn("tcp://192.168.1.2:2376");
|
||||
assertThat(this.connection.accept()).isTrue();
|
||||
HttpHost host = this.connection.getHttpHost();
|
||||
assertThat(host).isNotNull();
|
||||
assertThat(host.getSchemeName()).isEqualTo("http");
|
||||
assertThat(host.getHostName()).isEqualTo("192.168.1.2");
|
||||
assertThat(host.getPort()).isEqualTo(2376);
|
||||
}
|
||||
|
||||
@Test
|
||||
void hostProtocolIsHttpsWhenSecure() throws NoSuchAlgorithmException {
|
||||
given(this.environment.getProperty("DOCKER_HOST")).willReturn("tcp://192.168.1.2:2376");
|
||||
given(this.environment.getProperty("DOCKER_TLS_VERIFY")).willReturn("1");
|
||||
given(this.environment.getProperty("DOCKER_CERT_PATH")).willReturn("/test-cert-path");
|
||||
given(this.sslContextFactory.forPath("/test-cert-path")).willReturn(SSLContext.getDefault());
|
||||
assertThat(this.connection.accept()).isTrue();
|
||||
HttpHost host = this.connection.getHttpHost();
|
||||
assertThat(host).isNotNull();
|
||||
assertThat(host.getSchemeName()).isEqualTo("https");
|
||||
assertThat(host.getHostName()).isEqualTo("192.168.1.2");
|
||||
assertThat(host.getPort()).isEqualTo(2376);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,80 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
|
||||
/**
|
||||
* Tests for {@link CertificateParser}.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
class CertificateParserTests {
|
||||
|
||||
private PemFileWriter fileWriter;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() throws IOException {
|
||||
this.fileWriter = new PemFileWriter();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
void tearDown() throws IOException {
|
||||
this.fileWriter.cleanup();
|
||||
}
|
||||
|
||||
@Test
|
||||
void parseCertificates() throws IOException {
|
||||
Path caPath = this.fileWriter.writeFile("ca.pem", PemFileWriter.CA_CERTIFICATE);
|
||||
Path certPath = this.fileWriter.writeFile("cert.pem", PemFileWriter.CERTIFICATE);
|
||||
X509Certificate[] certificates = CertificateParser.parse(caPath, certPath);
|
||||
assertThat(certificates).isNotNull();
|
||||
assertThat(certificates.length).isEqualTo(2);
|
||||
assertThat(certificates[0].getType()).isEqualTo("X.509");
|
||||
assertThat(certificates[1].getType()).isEqualTo("X.509");
|
||||
}
|
||||
|
||||
@Test
|
||||
void parseCertificateChain() throws IOException {
|
||||
Path path = this.fileWriter.writeFile("ca.pem", PemFileWriter.CA_CERTIFICATE, PemFileWriter.CERTIFICATE);
|
||||
X509Certificate[] certificates = CertificateParser.parse(path);
|
||||
assertThat(certificates).isNotNull();
|
||||
assertThat(certificates.length).isEqualTo(2);
|
||||
assertThat(certificates[0].getType()).isEqualTo("X.509");
|
||||
assertThat(certificates[1].getType()).isEqualTo("X.509");
|
||||
}
|
||||
|
||||
@Test
|
||||
void parseWithInvalidPathWillThrowException() throws URISyntaxException {
|
||||
Path path = Paths.get(new URI("file:///bad/path/cert.pem"));
|
||||
assertThatIllegalStateException().isThrownBy(() -> CertificateParser.parse(path))
|
||||
.withMessageContaining(path.toString());
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,84 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.UnrecoverableKeyException;
|
||||
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Tests for {@link KeyStoreFactory}.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
class KeyStoreFactoryTests {
|
||||
|
||||
private PemFileWriter fileWriter;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() throws IOException {
|
||||
this.fileWriter = new PemFileWriter();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
void tearDown() throws IOException {
|
||||
this.fileWriter.cleanup();
|
||||
}
|
||||
|
||||
@Test
|
||||
void createKeyStoreWithCertChain()
|
||||
throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
|
||||
Path certPath = this.fileWriter.writeFile("cert.pem", PemFileWriter.CA_CERTIFICATE, PemFileWriter.CERTIFICATE);
|
||||
KeyStore keyStore = KeyStoreFactory.create(certPath, null, "test-alias");
|
||||
|
||||
assertThat(keyStore.containsAlias("test-alias-0")).isTrue();
|
||||
assertThat(keyStore.getCertificate("test-alias-0")).isNotNull();
|
||||
assertThat(keyStore.getKey("test-alias-0", new char[] {})).isNull();
|
||||
|
||||
assertThat(keyStore.containsAlias("test-alias-1")).isTrue();
|
||||
assertThat(keyStore.getCertificate("test-alias-1")).isNotNull();
|
||||
assertThat(keyStore.getKey("test-alias-1", new char[] {})).isNull();
|
||||
|
||||
Files.delete(certPath);
|
||||
}
|
||||
|
||||
@Test
|
||||
void createKeyStoreWithCertChainAndPrivateKey()
|
||||
throws IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
|
||||
Path certPath = this.fileWriter.writeFile("cert.pem", PemFileWriter.CA_CERTIFICATE, PemFileWriter.CERTIFICATE);
|
||||
Path keyPath = this.fileWriter.writeFile("key.pem", PemFileWriter.PRIVATE_KEY);
|
||||
KeyStore keyStore = KeyStoreFactory.create(certPath, keyPath, "test-alias");
|
||||
|
||||
assertThat(keyStore.containsAlias("test-alias")).isTrue();
|
||||
assertThat(keyStore.getCertificate("test-alias")).isNotNull();
|
||||
assertThat(keyStore.getKey("test-alias", new char[] {})).isNotNull();
|
||||
|
||||
Files.delete(certPath);
|
||||
Files.delete(keyPath);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,122 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.StandardOpenOption;
|
||||
|
||||
import org.springframework.util.FileSystemUtils;
|
||||
|
||||
/**
|
||||
* Utility to write certificate and key PEM files for testing.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
public class PemFileWriter {
|
||||
|
||||
private static final String EXAMPLE_SECRET_QUALIFIER = "example";
|
||||
|
||||
public static final String CA_CERTIFICATE = "-----BEGIN TRUSTED CERTIFICATE-----\n"
|
||||
+ "MIIClzCCAgACCQCPbjkRoMVEQDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC\n"
|
||||
+ "VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x\n"
|
||||
+ "DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxFDASBgNVBAMMC2V4YW1wbGUu\n"
|
||||
+ "Y29tMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTIwMDMyNzIx\n"
|
||||
+ "NTgwNFoXDTIxMDMyNzIxNTgwNFowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD\n"
|
||||
+ "YWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARUZXN0\n"
|
||||
+ "MQ0wCwYDVQQLDARUZXN0MRQwEgYDVQQDDAtleGFtcGxlLmNvbTEfMB0GCSqGSIb3\n"
|
||||
+ "DQEJARYQdGVzdEBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC\n"
|
||||
+ "gYEA1YzixWEoyzrd20C2R1gjyPCoPfFLlG6UYTyT0tueNy6yjv6qbJ8lcZg7616O\n"
|
||||
+ "3I9LuOHhZh9U+fCDCgPfiDdyJfDEW/P+dsOMFyMUXPrJPze2yPpOnvV8iJ5DM93u\n"
|
||||
+ "fEVhCCyzLdYu0P2P3hU2W+T3/Im9DA7FOPA2vF1SrIJ2qtUCAwEAATANBgkqhkiG\n"
|
||||
+ "9w0BAQUFAAOBgQBdShkwUv78vkn1jAdtfbB+7mpV9tufVdo29j7pmotTCz3ny5fc\n"
|
||||
+ "zLEfeu6JPugAR71JYbc2CqGrMneSk1zT91EH6ohIz8OR5VNvzB7N7q65Ci7OFMPl\n"
|
||||
+ "ly6k3rHpMCBtHoyNFhNVfPLxGJ9VlWFKLgIAbCmL4OIQm1l6Fr1MSM38Zw==\n" + "-----END TRUSTED CERTIFICATE-----\n";
|
||||
|
||||
public static final String CA_PRIVATE_KEY = EXAMPLE_SECRET_QUALIFIER + "-----BEGIN PRIVATE KEY-----\n"
|
||||
+ "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANWM4sVhKMs63dtA\n"
|
||||
+ "tkdYI8jwqD3xS5RulGE8k9Lbnjcuso7+qmyfJXGYO+tejtyPS7jh4WYfVPnwgwoD\n"
|
||||
+ "34g3ciXwxFvz/nbDjBcjFFz6yT83tsj6Tp71fIieQzPd7nxFYQgssy3WLtD9j94V\n"
|
||||
+ "Nlvk9/yJvQwOxTjwNrxdUqyCdqrVAgMBAAECgYEAyJTlZ8nj3Eg1nLxCue6C5jmN\n"
|
||||
+ "fWkIuanH+zFAE/0utdxJ4WA4yYAOVo1MMr8FZwu9bzHTWe2yDnWnT5/ltPeHYX2X\n"
|
||||
+ "9Pg5cY0tjq07utaMwLKWgJ0Xoh2UpVM799t/rSvMWmLaZ2c8nipX+gQfYJFpX8Vg\n"
|
||||
+ "mR3QPxwdmNyFo13qif0CQQD4z2SqCfARuxscTCJDZ6wReikMQxaJvq74lPEtT26L\n"
|
||||
+ "rBr/bN+mG7+rMEHxs5wtU47aNjUKuVVC0Qfhsf95ahvHAkEA27inSlxrwGvhvFsD\n"
|
||||
+ "FWdgDsfYpPZdL4YgpVSEvcoypRGg2suJw2omcKcY56XpkmWUqZc06QirumtnEC0P\n"
|
||||
+ "HfnsgwJBAMVhEURrOc13FxytsQiz96atuF6H4htH79o3ndQKDXI0B/7VSd6maLjP\n"
|
||||
+ "QaESkTTL8qldE1r8h4zH8m6zHC4fZQUCQFWJ+8bdWC2fUlBr9jVc+26Fqvf92aVo\n"
|
||||
+ "yEjVMKBamYDd7gt/9fAX4UM2KmH0m4wc89VaQoT+lSyMJ6GKiToYVFUCQEXcyoeO\n"
|
||||
+ "zWqtSgEX/eXQXzmMKxYnjv1O//ba3Q7UiHd/XO5j4QXAJpcB6h0h00uC5KY2d0Zy\n" + "JQ1kB1C2l6l9tyc=\n"
|
||||
+ "-----END PRIVATE KEY-----";
|
||||
|
||||
public static final String CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "MIICjzCCAfgCAQEwDQYJKoZIhvcNAQEFBQAwgY8xCzAJBgNVBAYTAlVTMRMwEQYD\n"
|
||||
+ "VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK\n"
|
||||
+ "DARUZXN0MQ0wCwYDVQQLDARUZXN0MRQwEgYDVQQDDAtleGFtcGxlLmNvbTEfMB0G\n"
|
||||
+ "CSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbTAeFw0yMDAzMjcyMjAxNDZaFw0y\n"
|
||||
+ "MTAzMjcyMjAxNDZaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p\n"
|
||||
+ "YTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwEVGVzdDENMAsGA1UE\n"
|
||||
+ "CwwEVGVzdDEUMBIGA1UEAwwLZXhhbXBsZS5jb20xHzAdBgkqhkiG9w0BCQEWEHRl\n"
|
||||
+ "c3RAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM7kd2cj\n"
|
||||
+ "F49wm1+OQ7Q5GE96cXueWNPr/Nwei71tf6G4BmE0B+suXHEvnLpHTj9pdX/ZzBIK\n"
|
||||
+ "8jIZ/x8RnSduK/Ky+zm1QMYUWZtWCAgCW8WzgB69Cn/hQG8KSX3S9bqODuQAvP54\n"
|
||||
+ "GQJD7+4kVuNBGjFb4DaD4nvMmPtALSZf8ZCZAgMBAAEwDQYJKoZIhvcNAQEFBQAD\n"
|
||||
+ "gYEAOn6X8+0VVlDjF+TvTgI0KIasA6nDm+KXe7LVtfvqWqQZH4qyd2uiwcDM3Aux\n"
|
||||
+ "a/OsPdOw0j+NqFDBd3mSMhSVgfvXdK6j9WaxY1VGXyaidLARgvn63wfzgr857sQW\n"
|
||||
+ "c8eSxbwEQxwlMvVxW6Os4VhCfUQr8VrBrvPa2zs+6IlK+Ug=\n" + "-----END CERTIFICATE-----\n";
|
||||
|
||||
public static final String PRIVATE_KEY = EXAMPLE_SECRET_QUALIFIER + "-----BEGIN RSA PRIVATE KEY-----\n"
|
||||
+ "MIICXAIBAAKBgQDO5HdnIxePcJtfjkO0ORhPenF7nljT6/zcHou9bX+huAZhNAfr\n"
|
||||
+ "LlxxL5y6R04/aXV/2cwSCvIyGf8fEZ0nbivysvs5tUDGFFmbVggIAlvFs4AevQp/\n"
|
||||
+ "4UBvCkl90vW6jg7kALz+eBkCQ+/uJFbjQRoxW+A2g+J7zJj7QC0mX/GQmQIDAQAB\n"
|
||||
+ "AoGAIWPsBWA7gDHrUYuzT5XbX5BiWlIfAezXPWtMoEDY1W/Oz8dG8+TilH3brJCv\n"
|
||||
+ "hzps9TpgXhUYK4/Yhdog4+k6/EEY80RvcObOnflazTCVS041B0Ipm27uZjIq2+1F\n"
|
||||
+ "ZfbWP+B3crpzh8wvIYA+6BCcZV9zi8Od32NEs39CtrOrFPUCQQDxnt9+JlWjtteR\n"
|
||||
+ "VttRSKjtzKIF08BzNuZlRP9HNWveLhphIvdwBfjASwqgtuslqziEnGG8kniWzyYB\n"
|
||||
+ "a/ZZVoT3AkEA2zSBMpvGPDkGbOMqbnR8UL3uijkOj+blQe1gsyu3dUa9T42O1u9h\n"
|
||||
+ "Iz5SdCYlSFHbDNRFrwuW2QnhippqIQqC7wJAbVeyWEpM0yu5XiJqWdyB5iuG3xA2\n"
|
||||
+ "tW0Q0p9ozvbT+9XtRiwmweFR8uOCybw9qexURV7ntAis3cKctmP/Neq7fQJBAKGa\n"
|
||||
+ "59UjutYTRIVqRJICFtR/8ii9P9sfYs1j7/KnvC0d5duMhU44VOjivW8b4Eic8F1Y\n"
|
||||
+ "8bbHWILSIhFJHg0V7skCQDa8/YkRWF/3pwIZNWQr4ce4OzvYsFMkRvGRdX8B2a0p\n"
|
||||
+ "wSKcVTdEdO2DhBlYddN0zG0rjq4vDMtdmldEl4BdldQ=\n" + "-----END RSA PRIVATE KEY-----\n";
|
||||
|
||||
private final Path tempDir;
|
||||
|
||||
public PemFileWriter() throws IOException {
|
||||
this.tempDir = Files.createTempDirectory("buildpack-platform-docker-ssl-tests");
|
||||
}
|
||||
|
||||
Path writeFile(String name, String... contents) throws IOException {
|
||||
Path path = Paths.get(this.tempDir.toString(), name);
|
||||
for (String content : contents) {
|
||||
Files.write(path, content.replaceAll(EXAMPLE_SECRET_QUALIFIER, "").getBytes(), StandardOpenOption.CREATE,
|
||||
StandardOpenOption.APPEND);
|
||||
}
|
||||
return path;
|
||||
}
|
||||
|
||||
public Path getTempDir() {
|
||||
return this.tempDir;
|
||||
}
|
||||
|
||||
void cleanup() throws IOException {
|
||||
FileSystemUtils.deleteRecursively(this.tempDir);
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,87 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.security.PrivateKey;
|
||||
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
|
||||
/**
|
||||
* Tests for {@link PrivateKeyParser}.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
class PrivateKeyParserTests {
|
||||
|
||||
private PemFileWriter fileWriter;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() throws IOException {
|
||||
this.fileWriter = new PemFileWriter();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
void tearDown() throws IOException {
|
||||
this.fileWriter.cleanup();
|
||||
}
|
||||
|
||||
@Test
|
||||
void parsePkcs8KeyFile() throws IOException {
|
||||
Path path = this.fileWriter.writeFile("key.pem", PemFileWriter.CA_PRIVATE_KEY);
|
||||
PrivateKey privateKey = PrivateKeyParser.parse(path);
|
||||
assertThat(privateKey).isNotNull();
|
||||
assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
|
||||
Files.delete(path);
|
||||
}
|
||||
|
||||
@Test
|
||||
void parsePkcs1KeyFile() throws IOException {
|
||||
Path path = this.fileWriter.writeFile("key.pem", PemFileWriter.PRIVATE_KEY);
|
||||
PrivateKey privateKey = PrivateKeyParser.parse(path);
|
||||
assertThat(privateKey).isNotNull();
|
||||
// keys in PKCS#1 format are converted to PKCS#8 for parsing
|
||||
assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
|
||||
Files.delete(path);
|
||||
}
|
||||
|
||||
@Test
|
||||
void parseWithNonKeyFileWillThrowException() throws IOException {
|
||||
Path path = this.fileWriter.writeFile("text.pem", "plain text");
|
||||
assertThatIllegalStateException().isThrownBy(() -> PrivateKeyParser.parse(path))
|
||||
.withMessageContaining(path.toString());
|
||||
Files.delete(path);
|
||||
}
|
||||
|
||||
@Test
|
||||
void parseWithInvalidPathWillThrowException() throws URISyntaxException {
|
||||
URI privateKeyPath = new URI("file:///bad/path/key.pem");
|
||||
assertThatIllegalStateException().isThrownBy(() -> PrivateKeyParser.parse(Paths.get(privateKeyPath)))
|
||||
.withMessageContaining(privateKeyPath.getPath());
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,58 @@
|
||||
/*
|
||||
* Copyright 2012-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.boot.buildpack.platform.docker.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
|
||||
import org.junit.jupiter.api.AfterEach;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Tests for {@link SslContextFactory}.
|
||||
*
|
||||
* @author Scott Frederick
|
||||
*/
|
||||
class SslContextFactoryTests {
|
||||
|
||||
private PemFileWriter fileWriter;
|
||||
|
||||
@BeforeEach
|
||||
void setUp() throws IOException {
|
||||
this.fileWriter = new PemFileWriter();
|
||||
}
|
||||
|
||||
@AfterEach
|
||||
void tearDown() throws IOException {
|
||||
this.fileWriter.cleanup();
|
||||
}
|
||||
|
||||
@Test
|
||||
void createKeyStoreWithCertChain() throws IOException {
|
||||
this.fileWriter.writeFile("cert.pem", PemFileWriter.CERTIFICATE);
|
||||
this.fileWriter.writeFile("key.pem", PemFileWriter.PRIVATE_KEY);
|
||||
this.fileWriter.writeFile("ca.pem", PemFileWriter.CA_CERTIFICATE);
|
||||
|
||||
SSLContext sslContext = new SslContextFactory().forPath(this.fileWriter.getTempDir().toString());
|
||||
assertThat(sslContext).isNotNull();
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue