Re-work

opencadc · Aug 15, 2024 · 35ea802 · 35ea802
1 parent 5055a05
commit 35ea802
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 43 deletions.
diff --git a/cred/README.md b/cred/README.md
@@ -4,6 +4,17 @@
 
 The following configuration files must be available in the /config directory.
 
+### signcert.pem
+This is the signing certificate that contains both the X509 certificate and the private key 
+(without a passphrase) of the signing authority.
+
+### cadcproxy.pem
+Certificate used to augment subject.
+
+### RsaSignaturePub.key
+Public key used to decode the CADC tokens. While optional, its presence optimizes the execution by
+avoiding the augment subject call over the network.
+
 ### catalina.properties
 This file contains java system properties to configure the tomcat server and some of the java
 libraries used in the service.
@@ -25,17 +36,13 @@ org.opencadc.cred.superUser = {user identity}
 # maximum lifetime (in days, floating point) of retrieved proxy certifciates
 org.opencadc.cred.maxDaysValid = {time in days}
 
-# size of the generated RSA keys (2048, 4096 ...)
-org.opencadc.cred.userKeySize = {2048|4096|...}
+
 ```
 
 ### example cred.properties entry section:
 ```
-org.opencadc.cred.delegate.allowedUser = cn=generate,ou=acme,o=example,c=com 
-org.opencadc.cred.delegate.allowedUser = cn=alt,ou=acme,o=example,c=com
-
-org.opencadc.cred.proxy.allowedUser = cn=getproxy,ou=acme,o=example,c=com
-org.opencadc.cred.proxy.allowedUser = cn=alt,ou=acme,o=example,c=com
+org.opencadc.cred.superUser = cn=generate,ou=acme,o=example,c=com 
+org.opencadc.cred.superUser = cn=alt,ou=acme,o=example,c=com
 
 org.opencadc.cred.proxy.maxDaysValid = 0.5
 ```

diff --git a/cred/src/main/java/org/opencadc/cred/CredConfig.java b/cred/src/main/java/org/opencadc/cred/CredConfig.java
@@ -85,16 +85,14 @@ public class CredConfig {
 
     public String signingCert;
 
-    public int userKeySize = 4096;
-
-    public CredConfig() { 
+    public CredConfig() {
     }
 
     Set<X500Principal> superUsers = new HashSet<>();
 
     @Override
     public String toString() {
         return CredConfig.class.getName() + "[" 
-                + "maxDaysValid=" + maxDaysValid + ", signingCert=" + signingCert + ", userKeySize=" + userKeySize + "]";
+                + "maxDaysValid=" + maxDaysValid + ", signingCert=" + signingCert + "]";
     }
 }
diff --git a/cred/src/main/java/org/opencadc/cred/CredInitAction.java b/cred/src/main/java/org/opencadc/cred/CredInitAction.java
@@ -99,8 +99,6 @@ public class CredInitAction extends InitAction {
     private static final String CONFIG_FILE = "cred.properties";
     private static final String MAX_VALID_PROP = "org.opencadc.cred.maxDaysValid";
     private static final String SUPERUSER = "org.opencadc.cred.superUser";
-    private static final String USER_KEY_SIZE = "org.opencadc.cred.userKeySize";
-
     public static final File SIGN_CERT_FILE = new File("/config/signcert.pem");
 
     private String jndiKey;
@@ -111,7 +109,7 @@ public CredInitAction() {
     @Override
     public void doInit() {
         initBasicAuthIdentityManager();
-        this.jndiKey = super.appName + "." + CredConfig.class.getSimpleName();
+        this.jndiKey = getJndiKey(super.appName);
         initConfig();
     }
 
@@ -125,6 +123,20 @@ public void doShutdown() {
         }
     }
 
+    private static String getJndiKey(String appName) {
+        return appName + "." + CredConfig.class.getSimpleName();
+    }
+
+    public static CredConfig getConfig(String app) {
+        String jndiConfigKey = getJndiKey(app);
+        try {
+            Context ctx = new InitialContext();
+            return ((CredConfig) ctx.lookup(jndiConfigKey));
+        } catch (Exception oops) {
+            throw new RuntimeException("BUG: cred config not found. Service init failure?", oops);
+        }
+    }
+
     private void initBasicAuthIdentityManager() {
         String cname = System.getProperty(IdentityManager.class.getName());
         if (cname != null) {
@@ -167,21 +179,6 @@ private void initConfig() {
 
         log.debug(MAX_VALID_PROP + " value: " + credConfig.maxDaysValid);
 
-        String ukey = mvp.getFirstPropertyValue(USER_KEY_SIZE);
-        if (ukey != null) {
-            try {
-                int userKeySize = Integer.parseInt(ukey);
-                if (userKeySize <= 1024) {
-                    throw new RuntimeException("CONFIG: invalid " + USER_KEY_SIZE + " = " + userKeySize + " -- must be greater than 1024");
-                }
-                credConfig.userKeySize = userKeySize;
-            } catch (NumberFormatException ex) {
-                throw new RuntimeException("CONFIG: invalid " + USER_KEY_SIZE + " = " + ukey, ex);
-            }
-        }
-
-        log.debug(USER_KEY_SIZE + " value: " + credConfig.userKeySize);
-
         if (SIGN_CERT_FILE.exists() && SIGN_CERT_FILE.canRead()) {
             CheckCertificate checkCert = new CheckCertificate(SIGN_CERT_FILE);
             try {

diff --git a/cred/src/main/java/org/opencadc/cred/GetCertAction.java b/cred/src/main/java/org/opencadc/cred/GetCertAction.java
@@ -122,6 +122,7 @@ public class GetCertAction extends RestAction {
 
     static final String CERTIFICATE_CONTENT_TYPE = "application/x-pem-file";
     static final String CERTIFICATE_FILENAME = "cadcproxy.pem"; // content disposition
+    static final int CERT_KEY_SIZE = 2048;
 
     // CADC specific fields of the DN
     public static final String CADC_DN = "ou=cadc,o=hia,c=ca";
@@ -139,13 +140,7 @@ protected final InlineContentHandler getInlineContentHandler() {
 
     @Override
     public void initAction() {
-        String jndiConfigKey =  super.appName + "." + CredConfig.class.getSimpleName();
-        try {
-            Context ctx = new InitialContext();
-            this.config = ((CredConfig) ctx.lookup(jndiConfigKey));
-        } catch (Exception oops) {
-            throw new RuntimeException("BUG: NodePersistence implementation not found with JNDI key " + jndiConfigKey, oops);
-        }
+        config = CredInitAction.getConfig(super.appName);
     }
 
     @Override
@@ -206,7 +201,7 @@ public void doAction() throws Exception {
         // Generate key pair
         KeyPairGenerator rsaGenerator = KeyPairGenerator.getInstance("RSA");
         SecureRandom random = new SecureRandom();
-        rsaGenerator.initialize(config.userKeySize, random);
+        rsaGenerator.initialize(CERT_KEY_SIZE, random);
         KeyPair keyPair = rsaGenerator.generateKeyPair();
 
         X509CertificateChain signer = SSLUtil.readPemCertificateAndKey(new File(config.signingCert));

diff --git a/cred/src/main/java/org/opencadc/cred/ServiceAvailability.java b/cred/src/main/java/org/opencadc/cred/ServiceAvailability.java
@@ -71,15 +71,22 @@
 
 import ca.nrc.cadc.vosi.Availability;
 import ca.nrc.cadc.vosi.AvailabilityPlugin;
+import ca.nrc.cadc.vosi.avail.CheckCertificate;
+import ca.nrc.cadc.vosi.avail.CheckException;
+import java.io.File;
+import javax.naming.Context;
+import javax.naming.InitialContext;
 
 public class ServiceAvailability implements AvailabilityPlugin {
 
+    private String appName;
+
     public ServiceAvailability() {
     }
 
     @Override
     public void setAppName(String appName) {
-        // no op
+        this.appName = appName;
     }
 
     @Override
@@ -91,6 +98,25 @@ public boolean heartbeat() {
     public Availability getStatus() {
         boolean isGood = true;
         String note = "service is accepting requests";
+        try {
+            CredConfig config = CredInitAction.getConfig(appName);
+            File signCertFile = new File(config.signingCert);
+            if (signCertFile.exists() && signCertFile.canRead()) {
+                CheckCertificate checkCert = new CheckCertificate(signCertFile);
+                checkCert.check();
+            } else {
+                throw new CheckException("Configured signing cert not readable: " + signCertFile.getPath());
+            }
+        } catch (CheckException ce) {
+            // tests determined that the resource is not working
+            isGood = false;
+            note = ce.getMessage();
+        } catch (Throwable t) {
+            // the test itself failed
+            isGood = false;
+            note = "test failed, reason: " + t.getMessage();
+        }
+
         return new Availability(isGood, note);
     }
 

diff --git a/cred/src/main/webapp/WEB-INF/web.xml b/cred/src/main/webapp/WEB-INF/web.xml
@@ -101,10 +101,6 @@
                 ca.nrc.cadc.vosi
             </param-value>
         </init-param>
-        <init-param>
-            <param-name>logControlProperties</param-name>
-            <param-value>cred-logControl.properties</param-value>
-        </init-param>
         <load-on-startup>1</load-on-startup>
       </servlet>
 
@@ -154,7 +150,7 @@
       <param-name>ca.nrc.cadc.vosi.AvailabilityPlugin</param-name>
       <param-value>org.opencadc.cred.ServiceAvailability</param-value>
     </init-param>
-    <load-on-startup>2</load-on-startup>
+    <load-on-startup>3</load-on-startup>
   </servlet>
 
   <!--