add support for default truststore

brooklyncentral · Feb 6, 2015 · 68f45d4 · 68f45d4
1 parent 64788a9
commit 68f45d4
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 28 deletions.
diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/CustomSSLSocketFactory.java
@@ -1,14 +1,3 @@
-/*
- * *******************************************************
- * Copyright VMware, Inc. 2010-2013.  All Rights Reserved.
- * *******************************************************
- *
- * DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT
- * WARRANTIES OR CONDITIONS # OF ANY KIND, WHETHER ORAL OR WRITTEN,
- * EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY # DISCLAIMS ANY IMPLIED
- * WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY # QUALITY,
- * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
- */
 package brooklyn.networking.vclouddirector;
 
 import java.io.FileInputStream;

diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/FakeSSLSocketFactory.java
@@ -1,14 +1,3 @@
-/*
- * *******************************************************
- * Copyright VMware, Inc. 2010-2013.  All Rights Reserved.
- * *******************************************************
- *
- * DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT
- * WARRANTIES OR CONDITIONS # OF ANY KIND, WHETHER ORAL OR WRITTEN,
- * EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY # DISCLAIMS ANY IMPLIED
- * WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY # QUALITY,
- * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
- */
 package brooklyn.networking.vclouddirector;
 
 import java.security.KeyManagementException;

diff --git a/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java b/vcloud-director/src/main/java/brooklyn/networking/vclouddirector/NatService.java
@@ -2,6 +2,7 @@
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
+import java.io.File;
 import java.net.InetAddress;
 import java.util.ArrayList;
 import java.util.Iterator;
@@ -47,6 +48,8 @@
 import brooklyn.util.exceptions.Exceptions;
 import brooklyn.util.guava.Maybe;
 import brooklyn.util.net.Protocol;
+import brooklyn.util.os.Os;
+import brooklyn.util.text.Strings;
 import brooklyn.util.time.Duration;
 import brooklyn.util.time.Time;
 
@@ -477,6 +480,11 @@ protected VcloudClient newVcloudClient() {
     }
 
     protected VcloudClient newVcloudClient(String endpoint, String identity, String credential, String trustStore, String trustStorePassword, Level logLevel) {
+
+        if (trustStore == null) {
+            trustStore = getDefaultTrustStore();
+        }
+
         try {
             if (logLevel != null) {
                 // Logging is extremely verbose at INFO - it logs in full every http request/response (including payload).
@@ -491,16 +499,18 @@ protected VcloudClient newVcloudClient(String endpoint, String identity, String
                 try {
                     vcloudClient = new VcloudClient(endpoint, version);
                     LOG.debug("VCloudClient - trying login to {} using {}", endpoint, version);
-                    vcloudClient.login(identity, credential);
 
                     // Performing Certificate Validation
-                    if (trustStore != null && trustStorePassword != null) {
+                    if (Strings.isNonBlank(trustStorePassword)) {
+                        LOG.debug("Registering HTTPS scheme using trustStore ='{}' with trustStorePassword = '{}'", trustStore, trustStorePassword);
                         vcloudClient.registerScheme("https", 443, CustomSSLSocketFactory.getInstance(trustStore, trustStorePassword));
                     } else {
-                        LOG.warn("Ignoring the Certificate Validation using FakeSSLSocketFactory");
-                        vcloudClient.registerScheme("https", 443, FakeSSLSocketFactory.getInstance());
+                        LOG.warn("Registering HTTPS scheme using FakeSSLSocketFactory, as trustStore ='{}' with trustorePassword = '{}' are not valid.",
+                                trustStore, Strings.isBlank(trustStorePassword) ? "empty" : trustStorePassword);
+                                vcloudClient.registerScheme("https", 443, FakeSSLSocketFactory.getInstance());
                     }
 
+                    vcloudClient.login(identity, credential);
                     versionFound = true;
                     LOG.info("VCloudClient - Logged into {} using version {}", endpoint, version);
                     break;
@@ -517,6 +527,23 @@ protected VcloudClient newVcloudClient(String endpoint, String identity, String
         }
     }
 
+    /**
+     * http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization
+     *
+     * @return the default truststore, jssecacerts, if it exists. Otherwise, cacerts
+     */
+    private String getDefaultTrustStore() {
+        String trustStore;
+        String trustStoreFolder = Os.mergePaths(System.getProperty("java.home"), "lib", "security");
+        trustStore = Os.mergePaths(trustStoreFolder, "jssecacerts");
+        if (!new File(trustStore).exists()) {
+            trustStore = Os.mergePaths(trustStoreFolder, "cacerts");
+        } else {
+            throw new IllegalStateException("Cannot find a valid default truststore (jssecacerts or cacerts) in " + trustStoreFolder);
+        }
+        return trustStore;
+    }
+
     private GatewayNatRuleType generateGatewayNatRule(Protocol protocol, HostAndPort original,
             HostAndPort translated, ReferenceType interfaceRef) {
         GatewayNatRuleType gatewayNatRule = new GatewayNatRuleType();

diff --git a/...d-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java b/...d-director/src/test/java/brooklyn/networking/vclouddirector/SecureNatServiceLiveTest.java
@@ -29,7 +29,6 @@
  * brooklyn.location.named.canopy-vCHS.credential=pa55w0rd
  * brooklyn.location.named.canopy-vCHS.advancednetworking.vcloud.network.id=041e176a-befc-4b28-89e2-3c5343ff4d12
  * brooklyn.location.named.canopy-vCHS.advancednetworking.vcloud.network.publicip=23.92.230.21
- * brooklyn.location.named.canopy-vCHS.trustStore=/Library/Java/JavaVirtualMachines/jdk1.7.0_71.jdk/Contents/Home/jre/lib/security/cacerts
  * brooklyn.location.named.canopy-vCHS.trustStorePassword=changeit
  *
  * brooklyn.location.named.canopy-TAI=jclouds:vcloud-director:https://svdc.it-solutions.atos.net/api
@@ -98,8 +97,9 @@ private NatService.Builder newServiceBuilder(JcloudsLocation loc) {
             throw Exceptions.propagate(e);
         }
 
-        String trustStore = (String) loc.getAllConfigBag().getStringKey("trustStore");
+        String trustStore = (String) loc.getAllConfigBag().getStringKey("trustStore"); // if null, it will use default trustore
         String trustStorePassword = (String) loc.getAllConfigBag().getStringKey("trustStorePassword");
+        assertNotNull(trustStorePassword, "trustStorePassword not set on location " + loc);
 
         return NatService.builder()
                 .identity(loc.getIdentity())