From 160c1e31172178a0a18ae947e80c8f0ba3a15270 Mon Sep 17 00:00:00 2001 From: Andrea Turli Date: Fri, 6 Feb 2015 13:56:14 +0100 Subject: [PATCH] add support for default truststore --- .../CustomSSLSocketFactory.java | 11 ------ .../vclouddirector/FakeSSLSocketFactory.java | 11 ------ .../networking/vclouddirector/NatService.java | 35 ++++++++++++++++--- .../SecureNatServiceLiveTest.java | 4 +-- 4 files changed, 33 insertions(+), 28 deletions(-) diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java index d72bd54f..3bd94c2f 100644 --- a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java +++ b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java @@ -1,14 +1,3 @@ -/* - * ******************************************************* - * Copyright VMware, Inc. 2010-2013. All Rights Reserved. - * ******************************************************* - * - * DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT - * WARRANTIES OR CONDITIONS # OF ANY KIND, WHETHER ORAL OR WRITTEN, - * EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY # DISCLAIMS ANY IMPLIED - * WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY # QUALITY, - * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. - */ package brooklyn.networking.vclouddirector; import java.io.FileInputStream; diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java index 3a0e6368..33a91526 100644 --- a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java +++ b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java @@ -1,14 +1,3 @@ -/* - * ******************************************************* - * Copyright VMware, Inc. 2010-2013. All Rights Reserved. - * ******************************************************* - * - * DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT - * WARRANTIES OR CONDITIONS # OF ANY KIND, WHETHER ORAL OR WRITTEN, - * EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY # DISCLAIMS ANY IMPLIED - * WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY # QUALITY, - * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. - */ package brooklyn.networking.vclouddirector; import java.security.KeyManagementException; diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java index ac2e8243..76c47ec3 100644 --- a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java +++ b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java @@ -2,6 +2,7 @@ import static com.google.common.base.Preconditions.checkNotNull; +import java.io.File; import java.net.InetAddress; import java.util.ArrayList; import java.util.Iterator; @@ -47,6 +48,8 @@ import brooklyn.util.exceptions.Exceptions; import brooklyn.util.guava.Maybe; import brooklyn.util.net.Protocol; +import brooklyn.util.os.Os; +import brooklyn.util.text.Strings; import brooklyn.util.time.Duration; import brooklyn.util.time.Time; @@ -477,6 +480,11 @@ protected VcloudClient newVcloudClient() { } protected VcloudClient newVcloudClient(String endpoint, String identity, String credential, String trustStore, String trustStorePassword, Level logLevel) { + + if (trustStore == null) { + trustStore = getDefaultTrustStore(); + } + try { if (logLevel != null) { // Logging is extremely verbose at INFO - it logs in full every http request/response (including payload). @@ -491,16 +499,18 @@ protected VcloudClient newVcloudClient(String endpoint, String identity, String try { vcloudClient = new VcloudClient(endpoint, version); LOG.debug("VCloudClient - trying login to {} using {}", endpoint, version); - vcloudClient.login(identity, credential); // Performing Certificate Validation - if (trustStore != null && trustStorePassword != null) { + if (Strings.isNonBlank(trustStorePassword)) { + LOG.debug("Registering HTTPS scheme using trustStore ='{}' with trustStorePassword = '{}'", trustStore, trustStorePassword); vcloudClient.registerScheme("https", 443, CustomSSLSocketFactory.getInstance(trustStore, trustStorePassword)); } else { - LOG.warn("Ignoring the Certificate Validation using FakeSSLSocketFactory"); - vcloudClient.registerScheme("https", 443, FakeSSLSocketFactory.getInstance()); + LOG.warn("Registering HTTPS scheme using FakeSSLSocketFactory, as trustStore ='{}' with trustorePassword = '{}' are not valid.", + trustStore, Strings.isBlank(trustStorePassword) ? "empty" : trustStorePassword); + vcloudClient.registerScheme("https", 443, FakeSSLSocketFactory.getInstance()); } + vcloudClient.login(identity, credential); versionFound = true; LOG.info("VCloudClient - Logged into {} using version {}", endpoint, version); break; @@ -517,6 +527,23 @@ protected VcloudClient newVcloudClient(String endpoint, String identity, String } } + /** + * http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization + * + * @return the default truststore, jssecacerts, if it exists. Otherwise, cacerts + */ + private String getDefaultTrustStore() { + String trustStore; + String trustStoreFolder = Os.mergePaths(System.getProperty("java.home"), "lib", "security"); + trustStore = Os.mergePaths(trustStoreFolder, "jssecacerts"); + if (!new File(trustStore).exists()) { + trustStore = Os.mergePaths(trustStoreFolder, "cacerts"); + } else { + throw new IllegalStateException("Cannot find a valid default truststore (jssecacerts or cacerts) in " + trustStoreFolder); + } + return trustStore; + } + private GatewayNatRuleType generateGatewayNatRule(Protocol protocol, HostAndPort original, HostAndPort translated, ReferenceType interfaceRef) { GatewayNatRuleType gatewayNatRule = new GatewayNatRuleType(); diff --git a/vcloud-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java b/vcloud-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java index b00a2958..7d46e2e3 100644 --- a/vcloud-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java +++ b/vcloud-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java @@ -29,7 +29,6 @@ * brooklyn.location.named.canopy-vCHS.credential=pa55w0rd * brooklyn.location.named.canopy-vCHS.advancednetworking.vcloud.network.id=041e176a-befc-4b28-89e2-3c5343ff4d12 * brooklyn.location.named.canopy-vCHS.advancednetworking.vcloud.network.publicip=23.92.230.21 - * brooklyn.location.named.canopy-vCHS.trustStore=/Library/Java/JavaVirtualMachines/jdk1.7.0_71.jdk/Contents/Home/jre/lib/security/cacerts * brooklyn.location.named.canopy-vCHS.trustStorePassword=changeit * * brooklyn.location.named.canopy-TAI=jclouds:vcloud-director:https://svdc.it-solutions.atos.net/api @@ -98,8 +97,9 @@ private NatService.Builder newServiceBuilder(JcloudsLocation loc) { throw Exceptions.propagate(e); } - String trustStore = (String) loc.getAllConfigBag().getStringKey("trustStore"); + String trustStore = (String) loc.getAllConfigBag().getStringKey("trustStore"); // if null, it will use default trustore String trustStorePassword = (String) loc.getAllConfigBag().getStringKey("trustStorePassword"); + assertNotNull(trustStorePassword, "trustStorePassword not set on location " + loc); return NatService.builder() .identity(loc.getIdentity())