Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for TLS keystore passwords to be given as environment variables #647

Merged
merged 7 commits into from Mar 1, 2019
Merged

Allow for TLS keystore passwords to be given as environment variables #647

merged 7 commits into from Mar 1, 2019

Conversation

chris-j-h
Copy link
Collaborator

@chris-j-h chris-j-h commented Feb 28, 2019
edited
Loading

When currently configuring P2P TLS, the passwords for client and server keystore/truststores can only be provided as part of the json configfile. Ideally, credentials should not be stored in files and so this PR allows for the passwords to be provided by setting environment variables.

Precedence

  1. If the prefixed environment variable is set this will be used, else
  2. If the config value is set this will be used, else
  3. If the global environment variable is set this will be used

Global TLS environment variables

If set, these are applied to all server configs defined in the configfile. i.e. if a P2P and ADMIN server are both configured with TLS then the values set for the global environment variables will be used for both. The global environment variables are:

  • TESSERA_SERVER_KEYSTORE_PWD
  • TESSERA_SERVER_TRUSTSTORE_PWD
  • TESSERA_CLIENT_KEYSTORE_PWD
  • TESSERA_CLIENT_TRUSTSTORE_PWD

These values are ignored if the passwords are also provided in the configfile or prefixed environment variables.

Prefixed TLS environment variables

An optional field, environmentVariablePrefix, has been added to sslConfig, e.g.:

"sslConfig": {
        ...
        "serverKeyStore": ...,
        "serverTrustStore": ...,
        "clientKeyStore": ...,
        "clientTrustStore": ...,
        "environmentVariablePrefix": "PREFIX"
         ...
},

The passwords for the keystores specified in the sslConfig can be set using the prefixed environment variables:

  • PREFIX_TESSERA_SERVER_KEYSTORE_PWD
  • PREFIX_TESSERA_SERVER_TRUSTSTORE_PWD
  • PREFIX_TESSERA_CLIENT_KEYSTORE_PWD
  • PREFIX_TESSERA_CLIENT_TRUSTSTORE_PWD

Using unique environmentVariablePrefix values for each TLS server configured allows for the keystore passwords for each server to be set.

@codecov-io
Copy link

codecov-io commented Feb 28, 2019
edited
Loading

Codecov Report

Merging #647 into master will increase coverage by 0.01%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #647      +/-   ##
============================================
+ Coverage     99.45%   99.47%   +0.01%     
- Complexity     1914     1937      +23     
============================================
  Files           300      302       +2     
  Lines          5919     5947      +28     
  Branches        279      283       +4     
============================================
+ Hits           5887     5916      +29     
  Misses            5        5              
+ Partials         27       26       -1
Impacted Files Coverage Δ Complexity Δ
...ssera/ssl/context/ClientSSLContextFactoryImpl.java 100% <100%> (ø) 8 <6> (+6) ⬆️
...ssera/ssl/context/ServerSSLContextFactoryImpl.java 100% <100%> (ø) 8 <6> (+6) ⬆️
...ssera/config/util/EnvironmentVariableProvider.java 100% <100%> (ø) 4 <1> (+1) ⬆️
...onfig/util/EnvironmentVariableProviderFactory.java 100% <100%> (ø) 1 <1> (?)
...g/util/EnvironmentVariableProviderFactoryImpl.java 100% <100%> (ø) 2 <2> (?)
...m/quorum/tessera/config/builder/ConfigBuilder.java 100% <100%> (ø) 38 <0> (ø) ⬇️
...tessera/config/constraints/SslConfigValidator.java 97.43% <100%> (+1.38%) 54 <4> (+5) ⬆️
...main/java/com/quorum/tessera/config/SslConfig.java 100% <100%> (ø) 44 <2> (+2) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d93b161...0e69239. Read the comment docs.

@chris-j-h chris-j-h closed this Feb 28, 2019
@chris-j-h chris-j-h reopened this Mar 1, 2019
melowe
melowe previously approved these changes Mar 1, 2019
View reviewed changes
@prd-fox prd-fox self-requested a review March 1, 2019 13:34
@melowe melowe merged commit 37db808 into Consensys:master Mar 1, 2019
@chris-j-h chris-j-h deleted the improvement/tls-env-var-passwords branch March 1, 2019 16:09
@Krish1979 Krish1979 added 0.9 enhancement Non-user code enhancements labels Apr 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prd-fox prd-fox prd-fox approved these changes

@melowe melowe melowe left review comments

@namtruong namtruong Awaiting requested review from namtruong namtruong is a code owner

@nicolae-leonte-go nicolae-leonte-go Awaiting requested review from nicolae-leonte-go

@SatpalSandhu61 SatpalSandhu61 Awaiting requested review from SatpalSandhu61

Assignees
No one assigned
Labels
0.9 enhancement Non-user code enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chris-j-h @codecov-io @melowe @prd-fox @Krish1979