[3x] TlsManager backport (#7650)

helidon-io · Sep 27, 2023 · 58a859e · 58a859e
1 parent 72214e1
commit 58a859e
Show file tree

Hide file tree

Showing 54 changed files with 3,707 additions and 131 deletions.
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -922,6 +922,11 @@
                 <artifactId>helidon-integrations-oci-metrics</artifactId>
                 <version>${helidon.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.oci</groupId>
+                <artifactId>helidon-integrations-oci-tls-certificates</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
             <dependency>
                 <groupId>io.helidon.integrations.oci.metrics</groupId>
                 <artifactId>helidon-integrations-oci-metrics-cdi</artifactId>

diff --git a/common/key-util/src/main/java/io/helidon/common/pki/PemReader.java b/common/key-util/src/main/java/io/helidon/common/pki/PemReader.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2017, 2023 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@
 /**
  * Reads a PEM file and converts it into a list of DERs so that they are imported into a {@link java.security.KeyStore} easily.
  */
-final class PemReader {
+public final class PemReader {
     private static final Logger LOGGER = Logger.getLogger(PemReader.class.getName());
 
     private static final Pattern CERT_PATTERN = Pattern.compile(
@@ -91,7 +91,6 @@ static PublicKey readPublicKey(InputStream input) {
     }
 
     static PrivateKey readPrivateKey(InputStream input, char[] password) {
-
         PrivateKeyInfo pkInfo = readPrivateKeyBytes(input);
 
         switch (pkInfo.type) {
@@ -152,7 +151,13 @@ private static PrivateKey rsaPrivateKey(KeySpec keySpec) {
         }
     }
 
-    static List<X509Certificate> readCertificates(InputStream certStream) {
+    /**
+     * Reads a certificate-based input stream and converts it to a list of {@link X509Certificate}s.
+     *
+     * @param certStream cert input stream
+     * @return list of certificates
+     */
+    public static List<X509Certificate> readCertificates(InputStream certStream) {
         CertificateFactory cf;
         try {
             cf = CertificateFactory.getInstance("X.509");

diff --git a/integrations/oci/pom.xml b/integrations/oci/pom.xml
@@ -37,5 +37,6 @@
         <module>oci-secrets-config-source</module>
         <module>oci-secrets-mp-config-source</module>
         <module>sdk</module>
+        <module>tls-certificates</module>
     </modules>
 </project>
diff --git a/integrations/oci/tls-certificates/README.md b/integrations/oci/tls-certificates/README.md
@@ -0,0 +1,29 @@
+# Helidon Integrations for OCI Key Manager Service
+
+This module contains the **_OciKmsTlsManager_** provider that offers lifecycle and rotation of certificates to be used with Helidon Tls when configured. It is designed specifically to integrate with [Oracle Cloud Infrastructure](https://www.oracle.com/cloud)'s [Certificates](https://www.oracle.com/security/cloud-security/ssl-tls-certificates) Service.
+
+## Usage
+Integrating with OCI's Certificates Service from Helidon is a simple matter of configuration.
+
+First, use OCI's Certificates Service to create your certificates. Follow the directions [here](https://docs.oracle.com/en-us/iaas/Content/certificates/home.htm).
+
+In your pom.xml, include a dependency to this module.
+
+In your application.yaml configuration, include a reference to the oci-certificates Tls Manager.
+
+```yaml
+...
+  tls:
+    manager:
+      oci-certificates:
+        # Download tls context each 30 seconds
+        schedule: 0/30 * * * * ? *
+
+        vault-crypto-endpoint: https://...
+
+        ca-ocid: ${CA_OCID}
+        cert-ocid: ${SERVER_CERT_OCID}
+        key-ocid: ${SERVER_KEY_OCID}
+        key-pass: TODO
+...
+```
diff --git a/integrations/oci/tls-certificates/etc/spotbugs/exclude.xml b/integrations/oci/tls-certificates/etc/spotbugs/exclude.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<FindBugsFilter
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://github.com/spotbugs/filter/3.0.0"
+        xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <Match>
+        <!-- Needed by OCI - "AESWrapPad" -->
+        <!-- https://docs.oracle.com/en/java/javase/20/docs/specs/security/standard-names.html -->
+        <Class name="io.helidon.integrations.oci.tls.certificates.DefaultOciPrivateKeyDownloader" />
+        <Method name="unwrapRSA"/>
+        <Bug pattern="CIPHER_INTEGRITY"/>
+    </Match>
+
+</FindBugsFilter>
diff --git a/integrations/oci/tls-certificates/pom.xml b/integrations/oci/tls-certificates/pom.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2023 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>io.helidon.integrations.oci</groupId>
+        <artifactId>helidon-integrations-oci-project</artifactId>
+        <version>3.2.3-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>helidon-integrations-oci-tls-certificates</artifactId>
+    <name>Helidon Integrations OCI Certificates Service</name>
+
+    <properties>
+        <spotbugs.exclude>etc/spotbugs/exclude.xml</spotbugs.exclude>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-common</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-keymanagement</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-certificates</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-vault</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.inject</groupId>
+            <artifactId>jakarta.inject-api</artifactId>
+<!--            <optional>true</optional>--> <!-- needed for jakarta.inject.Provider -->
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.webserver</groupId>
+            <artifactId>helidon-webserver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.common</groupId>
+            <artifactId>helidon-common-key-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.common</groupId>
+            <artifactId>helidon-common-service-loader</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.integrations.oci.sdk</groupId>
+            <artifactId>helidon-integrations-oci-sdk-runtime</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.fault-tolerance</groupId>
+            <artifactId>helidon-fault-tolerance</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.scheduling</groupId>
+            <artifactId>helidon-scheduling</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-yaml</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-metadata</artifactId>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-metadata-processor</artifactId>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+
+        <!-- needed to actually use OCI SDK -->
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-common-httpclient-jersey3</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.helidon.common.testing</groupId>
+            <artifactId>helidon-common-testing-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.microprofile.cdi</groupId>
+            <artifactId>helidon-microprofile-cdi</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.microprofile.tests</groupId>
+            <artifactId>helidon-microprofile-tests-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.microprofile.bundles</groupId>
+            <artifactId>helidon-microprofile</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <systemPropertyVariables>
+                        <VAULT_CRYPTO_ENDPOINT>SETME</VAULT_CRYPTO_ENDPOINT>
+                        <CA_OCID>SETME</CA_OCID>
+                        <SERVER_CERT_OCID>SETME</SERVER_CERT_OCID>
+                        <SERVER_KEY_OCID>SETME</SERVER_KEY_OCID>
+
+                        <oci.real.usage>false</oci.real.usage>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>