Merge branch '552-security-provider-flag'

nebhale · nebhale · commit 19ca3a248a91 · 2018-02-14T14:14:38.000-08:00
diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
diff --git a/config/container_security_provider.yml b/config/container_security_provider.yml
@@ -17,3 +17,4 @@
 ---
 version: 1.+
 repository_root: "{default.repository.root}/container-security-provider"
+enabled: true
diff --git a/docs/framework-container_security_provider.md b/docs/framework-container_security_provider.md
@@ -22,6 +22,7 @@ The framework can be configured by modifying the [`config/container_security_pro
 | ---- | -----------
 | `repository_root` | The URL of the Container Customizer repository index ([details][repositories]).
 | `version` | The version of Container Customizer to use. Candidate versions can be found in [this listing][].
+| `enabled` | Whether to enable the `SecurityProvider`
 
 ## Security Provider
 The [security provider][] added by this framework contributes two types, a `TrustManagerFactory` and a `KeyManagerFactory`.  The `TrustManagerFactory` adds an additional new `TrustManager` after the configured system `TrustManager` which reads the contents of `/etc/ssl/certs/ca-certificates.crt` which is where [BOSH trusted certificates][] are placed.  The `KeyManagerFactory` adds an additional `KeyManager` after the configured system `KeyManager` which reads the contents of the files specified by `$CF_INSTANCE_CERT` and `$CF_INSTANCE_KEY` which are set by Diego to give each container a unique cryptographic identity.  These `TrustManager`s and `KeyManager`s are used transparently by any networking library that reads standard system SSL configuration and can be used to enable system-wide trust and [mutual TLS authentication][].
diff --git a/lib/java_buildpack/framework/container_security_provider.rb b/lib/java_buildpack/framework/container_security_provider.rb
@@ -44,7 +44,13 @@ def release
 
       # (see JavaBuildpack::Component::VersionedDependencyComponent#supports?)
       def supports?
-        true
+        enabled?
+      end
+
+      private
+
+      def enabled?
+        @configuration['enabled']
       end
 
     end
diff --git a/spec/java_buildpack/framework/container_security_provider_spec.rb b/spec/java_buildpack/framework/container_security_provider_spec.rb
@@ -22,51 +22,70 @@
 describe JavaBuildpack::Framework::ContainerSecurityProvider do
   include_context 'with component help'
 
-  it 'always detects' do
-    expect(component.detect).to eq("container-security-provider=#{version}")
+  let(:java_home) do
+    java_home         = JavaBuildpack::Component::MutableJavaHome.new
+    java_home.version = version_8
+    return java_home
   end
 
-  it 'adds extension directory' do
-    component.release
+  let(:version_8) { JavaBuildpack::Util::TokenizedVersion.new('1.8.0_162') }
 
-    expect(extension_directories).to include(droplet.sandbox)
+  let(:version_9) { JavaBuildpack::Util::TokenizedVersion.new('9.0.4_11') }
+
+  it 'does not detect if not enabled' do
+    expect(component.detect).to be_nil
   end
 
-  it 'adds security provider',
-     cache_fixture: 'stub-container-security-provider.jar' do
+  context 'when enabled' do
 
-    component.compile
-    expect(security_providers[1]).to eq('org.cloudfoundry.security.CloudFoundryContainerProvider')
-  end
+    let(:configuration) { { 'enabled' => true } }
 
-  context do
+    it 'detects if enabled' do
+      expect(component.detect).to eq("container-security-provider=#{version}")
+    end
 
-    let(:java_home_delegate) do
-      delegate         = JavaBuildpack::Component::MutableJavaHome.new
-      delegate.root    = app_dir + '.test-java-home'
-      delegate.version = JavaBuildpack::Util::TokenizedVersion.new('9.0.0')
+    it 'adds extension directory' do
+      component.release
 
-      delegate
+      expect(extension_directories).to include(droplet.sandbox)
     end
 
-    it 'adds JAR to classpath during compile in Java 9',
+    it 'adds security provider',
        cache_fixture: 'stub-container-security-provider.jar' do
 
       component.compile
 
-      expect(additional_libraries).to include(droplet.sandbox + "container_security_provider-#{version}.jar")
+      expect(security_providers[1]).to eq('org.cloudfoundry.security.CloudFoundryContainerProvider')
     end
 
-    it 'adds JAR to classpath during release in Java 9' do
-      component.release
+    context 'when java 9' do
 
-      expect(additional_libraries).to include(droplet.sandbox + "container_security_provider-#{version}.jar")
-    end
+      it 'adds JAR to classpath during compile in Java 9',
+         cache_fixture: 'stub-container-security-provider.jar' do
 
-    it 'adds does not add extension directory in Java 9' do
-      component.release
+        java_home.version = version_9
+
+        component.compile
+
+        expect(additional_libraries).to include(droplet.sandbox + "container_security_provider-#{version}.jar")
+      end
+
+      it 'adds JAR to classpath during release in Java 9' do
+        java_home.version = version_9
+
+        component.release
+
+        expect(additional_libraries).to include(droplet.sandbox + "container_security_provider-#{version}.jar")
+      end
+
+      it 'adds does not add extension directory in Java 9' do
+        java_home.version = version_9
+
+        component.release
+
+        expect(extension_directories).not_to include(droplet.sandbox)
+      end
 
-      expect(extension_directories).not_to include(droplet.sandbox)
     end
 
   end
