Container Security Provider Manager Flags

nebhale · nebhale · commit 4262bb8cf83c · 2018-02-15T12:14:44.000-08:00
Previously, the Container Security Provider could only be enabled and disabled completely for a given application. In certain circumstances it was useful to disable the KeyManager and TrustManager individually. This change takes advantage of a new feature in the Container Security Provider itself and sets the appropriate flags to disable the managers independently. [resolves #552]
diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
diff --git a/config/container_security_provider.yml b/config/container_security_provider.yml
@@ -17,3 +17,5 @@
 ---
 version: 1.+
 repository_root: "{default.repository.root}/container-security-provider"
+key_manager_enabled: 
+trust_manager_enabled: 
diff --git a/docs/framework-container_security_provider.md b/docs/framework-container_security_provider.md
@@ -22,6 +22,8 @@ The framework can be configured by modifying the [`config/container_security_pro
 | ---- | -----------
 | `repository_root` | The URL of the Container Customizer repository index ([details][repositories]).
 | `version` | The version of Container Customizer to use. Candidate versions can be found in [this listing][].
+| `key_manager_enabled` | Whether the container `KeyManager` is enabled.  Defaults to `true`.
+| `trust_manager_enabled` | Whether the container `TrustManager` is enabled.  Defaults to `true`.
 
 ## Security Provider
 The [security provider][] added by this framework contributes two types, a `TrustManagerFactory` and a `KeyManagerFactory`.  The `TrustManagerFactory` adds an additional new `TrustManager` after the configured system `TrustManager` which reads the contents of `/etc/ssl/certs/ca-certificates.crt` which is where [BOSH trusted certificates][] are placed.  The `KeyManagerFactory` adds an additional `KeyManager` after the configured system `KeyManager` which reads the contents of the files specified by `$CF_INSTANCE_CERT` and `$CF_INSTANCE_KEY` which are set by Diego to give each container a unique cryptographic identity.  These `TrustManager`s and `KeyManager`s are used transparently by any networking library that reads standard system SSL configuration and can be used to enable system-wide trust and [mutual TLS authentication][].
diff --git a/lib/java_buildpack/framework/container_security_provider.rb b/lib/java_buildpack/framework/container_security_provider.rb
@@ -38,6 +38,13 @@ def release
         else
           @droplet.extension_directories << @droplet.sandbox
         end
+
+        unless key_manager_enabled.nil?
+          @droplet.java_opts.add_system_property 'org.cloudfoundry.security.keymanager.enabled', key_manager_enabled
+        end
+
+        return if trust_manager_enabled.nil?
+        @droplet.java_opts.add_system_property 'org.cloudfoundry.security.trustmanager.enabled', trust_manager_enabled
       end
 
       protected
@@ -47,6 +54,16 @@ def supports?
         true
       end
 
+      private
+
+      def key_manager_enabled
+        @configuration['key_manager_enabled']
+      end
+
+      def trust_manager_enabled
+        @configuration['trust_manager_enabled']
+      end
+
     end
 
   end
diff --git a/spec/java_buildpack/framework/container_security_provider_spec.rb b/spec/java_buildpack/framework/container_security_provider_spec.rb
@@ -63,12 +63,63 @@
       expect(additional_libraries).to include(droplet.sandbox + "container_security_provider-#{version}.jar")
     end
 
-    it 'adds does not add extension directory in Java 9' do
+    it 'does not add extension directory in Java 9' do
       component.release
 
       expect(extension_directories).not_to include(droplet.sandbox)
     end
 
   end
 
+  it 'does not manager system properties' do
+    component.release
+
+    expect(java_opts).not_to include('-Dorg.cloudfoundry.security.keymanager.enabled=false')
+    expect(java_opts).not_to include('-Dorg.cloudfoundry.security.trustmanager.enabled=false')
+  end
+
+  context 'when KeyManager disabled' do
+    let(:configuration) { { 'key_manager_enabled' => false } }
+
+    it 'adds system property' do
+      component.release
+
+      expect(java_opts).to include('-Dorg.cloudfoundry.security.keymanager.enabled=false')
+    end
+
+  end
+
+  context 'when TrustManager disabled' do
+    let(:configuration) { { 'trust_manager_enabled' => false } }
+
+    it 'adds system property' do
+      component.release
+
+      expect(java_opts).to include('-Dorg.cloudfoundry.security.trustmanager.enabled=false')
+    end
+
+  end
+
+  context 'when KeyManager enabled' do
+    let(:configuration) { { 'key_manager_enabled' => true } }
+
+    it 'adds system property' do
+      component.release
+
+      expect(java_opts).to include('-Dorg.cloudfoundry.security.keymanager.enabled=true')
+    end
+
+  end
+
+  context 'when TrustManager enabled' do
+    let(:configuration) { { 'trust_manager_enabled' => true } }
+
+    it 'adds system property' do
+      component.release
+
+      expect(java_opts).to include('-Dorg.cloudfoundry.security.trustmanager.enabled=true')
+    end
+
+  end
+
 end
