ID-17, ID-18: check expiration of certificates

mlookaxw · mlookaxw · commit 29ebde73f9b7 · 2019-09-14T15:35:04.000+02:00
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -1,5 +1,59 @@
 = Changelog
 
+== Version 0.7.0
+
+[cols="1,2,<10a", options="header"]
+|===
+|ID|Type|Description
+|https://github.com/Axway-API-Management-Plus/apigw-maven-plugin/issues/17[#17]
+|Enhancement
+|Check expiration of configured certificates.
+
+The plugin and the configuration tool now supports to check if configured certificates expires within a given number of days.
+If at least one certificate expires within the time frame an error will be raised.
+
+For the configuration tool the check is disabled by default.
+
+For the plugin the default number of days is 10.
+To disable the check for the plugin specify set `axway.tools.cfg.cert.expirationDays` property to -1.
+
+|https://github.com/Axway-API-Management-Plus/apigw-maven-plugin/issues/18[#18]
+|Enhancement
+|Don't create "info" section for "update" certificates.
+Information about the configured certificates are written to log instead.
+
+Previously the configuration tool has written the "info" section (see below).
+This will change a source file, which is not suitable for build environments.
+
+.previous-cert-config.json
+....
+            "update": {
+                "file": "cert/server.p12", 
+                "info": { <1>
+                    "not_after": "2020-05-21T07:02:00+02:00", 
+                    "subject": "CN=server, O=Axway, L=Berlin, ST=Berlin, C=DE"
+                }, 
+                "password": "server",
+                "type": "p12"
+            }
+....
+<1> Information about the configured certificate, will no longer be created or updated.
+
+The "info" section is no longer created or updated for "update" certificates.
+
+.cert-config.json
+....
+            "update": {
+                "file": "cert/server.p12", 
+                "password": "server",
+                "type": "p12"
+            }
+....
+
+
+NOTE: To enable the previous behavior, use the `--cert-config-update` parameter of the configuration tool or the `axway.tools.cfg.cert.updateConfigured` property of the plugin.
+|===
+
 == Version 0.6.0
 
 [cols="1,2,<10a", options="header"]
diff --git a/doc/getting-started/getting-started.adoc b/doc/getting-started/getting-started.adoc
@@ -5,7 +5,7 @@
 :sectnums:
 :source-highlighter: prettify
 
-:mvn-plugin-ver: 0.6.0
+:mvn-plugin-ver: 0.7.0-SNAPSHOT
 
 Here you get a simple introduction on how to use the _Maven Plugin for Axway API Gateway_.
 It assumes that you are familiar with https://maven.apache.org[Apache Maven] and that you are familiar with PolicyStudio and the API Gateway.
diff --git a/doc/manual/_config-tool.adoc b/doc/manual/_config-tool.adoc
@@ -37,16 +37,24 @@ Options:
                         Path of JSON configuration file
   --prop=FILEPATH       Path of JSON property file [optional]
   --cert=FILEPATH       Path of JSON certificate configuration file [optional]
+  --cert-expiration=DAYS
+                        Check if certificates expire within the next days
+                        [optional]
+  --cert-config-update  Enable writing of info section for 'update'
+                        certificates within the configuration file [optional]
   --output-fed=FILEPATH
-                        Path of output deployment archive file (.fed) [optional]
+                        Path of output deployment archive file (.fed)
+                        [optional]
   --output-env=FILEPATH
-                        Path of output environment archive file (.env) [optional]
+                        Path of output environment archive file (.env)
+                        [optional]
   -D NAME:VALUE, --define=NAME:VALUE
                         Define a system property [multiple]
   --passphrase-in=PASSPHRASE
                         Passphrase of input archive files [optional]
   --passphrase-out=PASSPHRASE
                         Passphrase for output archive files [optional]
+  -s, --simulate        Enable simulation mode [optional]
 ....
 
 If environmentalized fields or certificates are not configured, the build fails.
@@ -76,6 +84,17 @@ The option is mandatory.
 |--cert
 |An optional JSON file containing the certificate configuration.
 
+|--cert-expiration
+|Optional number of days for certificate expiration check.
+
+If at least one certificate expires with the next given days an error will be raised.
+
+|--cert-config-update
+|Enable writing of info section for 'update' certificates within the configuration file.
+
+Since version v0.7.0 the info section of "update" certificates are not written any more.
+Use this to enable the previous behavior.
+
 |--output-fed
 |The path of the configured `.fed` file.
 If missing, no `.fed` file is generated.
@@ -105,6 +124,7 @@ If not set the output archives have the same passphrase as the source archives.
 
 In simulation mode, no output files (`.fed` or `.env`) will be written.
 Also non existing certificate files will be ignored.
+
 |===
 
 TIP: The simulation mode can be used to check the configuration and to update the configuration files.
@@ -279,11 +299,7 @@ It specifies the alias of the certificates within the project and the source of
             },
             "update": { <6>
                 "file": "cert/extern.crt", <7>
-                "info": { <8>
-                    "not_after": "2020-05-21T07:04:00+02:00", 
-                    "subject": "CN=extern, O=Axway, L=Berlin, ST=Berlin, C=DE"
-                }, 
-                "type": "crt" <9>
+                "type": "crt" <8>
             }
         }, 
         "server-p12": {
@@ -295,11 +311,7 @@ It specifies the alias of the certificates within the project and the source of
             },
             "update": {
                 "file": "cert/server.p12", 
-                "info": {
-                    "not_after": "2020-05-21T07:02:00+02:00", 
-                    "subject": "CN=server, O=Axway, L=Berlin, ST=Berlin, C=DE"
-                }, 
-                "password": "server", <10>
+                "password": "server", <9>
                 "type": "p12"
             }
         }, 
@@ -310,16 +322,12 @@ It specifies the alias of the certificates within the project and the source of
                     "subject": "CN=DST Root CA X3, O=Digital Signature Trust Co."
                 }
             },
-            "update": null <11>
+            "update": null <10>
         },
-        "test2": { <12>
+        "test2": { <11>
             "update": {
                 "file": "cert/server.p12", 
-                "info": {
-                    "not_after": "2020-05-21T07:02:00+02:00", 
-                    "subject": "CN=server, O=Axway, L=Berlin, ST=Berlin, C=DE"
-                }, 
-                "password-property": "server.password", <13> 
+                "password-property": "server.password", <12> 
                 "type": "p12"
             }
         }
@@ -335,15 +343,13 @@ A missing `origin` attribute indicates the origin certificate store doesn't has
 <6> Defines the certificate to update the certificate with the same alias within the certificate store.
 A missing `update` attribute indicates a new/unconfigured certificate.
 <7> Path to the new certificate file.
-<8> Information of the new certificate.
-Will be updated automatically be the plugin.
-<9> Type of the certificate.
+<8> Type of the certificate.
 `crt` for certificates and `p12` for certificates with key.
-<10> Password to for the `.p12` file.
-<11> _null_ value indicates that the certificate will not be updated.
-<12> Certificate without a `origin` attribute.
+<9> Password to for the `.p12` file.
+<10> _null_ value indicates that the certificate will not be updated.
+<11> Certificate without a `origin` attribute.
 This certificate will be added to the certificate store.
-<13> Password for the `.p12` file is retrieved from the property configuration file.
+<12> Password for the `.p12` file is retrieved from the property configuration file.
 
 === Properties
 
diff --git a/doc/manual/_reference.adoc b/doc/manual/_reference.adoc
@@ -231,6 +231,22 @@ Default: ${axway.home}/apigateway/system/conf/templates/BlankNoSettingsConfigura
 
 Default: false
 
+|axway.tools.cfg.cert.expirationDays
+|Minimum number of days before certificates expires.
+
+The build fails if at least one configured certificate expires within the next given days.
+Use -1 to disable the check.
+
+Default: 10
+
+|axway.tools.cfg.cert.updateConfigured
+|Set to _true_ to enable writing the info section of "update" certificates in the configuration file.
+
+Since version v0.7.0 the info section of "update" certificates are not written any more.
+This property can be used to enable the previous behavior.
+
+Default: false
+
 |axway.passphrase.in
 |Passphrase for reading input (`.pol`, `.env`) packages.
 Applicable to deployment projects only.
diff --git a/doc/manual/user-guide.adoc b/doc/manual/user-guide.adoc
@@ -18,7 +18,7 @@ ifdef::env-github[]
 :warning-caption: :warning:
 endif::[]
 
-:mvn-plugin-ver: 0.6.0
+:mvn-plugin-ver: 0.7.0-SNAPSHOT
 
 == About the Plugin
 
diff --git a/example/getting-started/pom.xml b/example/getting-started/pom.xml
@@ -7,7 +7,7 @@
   <packaging>pom</packaging>
 
   <properties>
-      <axway.maven.plugin.ver>0.6.0</axway.maven.plugin.ver>
+      <axway.maven.plugin.ver>0.7.0-SNAPSHOT</axway.maven.plugin.ver>
   </properties>
 
   <modules>
diff --git a/src/main/java/com/axway/maven/apigw/DeploymentArchiveMojo.java b/src/main/java/com/axway/maven/apigw/DeploymentArchiveMojo.java
@@ -32,6 +32,12 @@ public class DeploymentArchiveMojo extends AbstractFlattendProjectArchiveMojo {
 	@Parameter(property = "certsFile", required = false)
 	private File certsFile;
 	
+	@Parameter(property = "axway.tools.cfg.cert.expirationDays", required = false)
+	private int certExpirationDays = 10;
+	
+	@Parameter(property = "axway.tools.cfg.cert.updateConfigured", required = false)
+	private boolean updateCertConfigFile = false;
+	
 	@Parameter(property = "axway.tools.cfg.verbose", defaultValue = "false", required = true)
 	protected boolean verboseCfgTools;
 
@@ -149,6 +155,14 @@ private void buildFedArchive(File targetDir, File srcPolFile, File srcEnvFile) t
 			if (this.certsFile != null) {
 				args.add("--cert");
 				args.add(this.certsFile.getPath());
+				
+				if (this.certExpirationDays >= 0) {
+					args.add("--cert-expiration=" + this.certExpirationDays);
+				}
+				
+				if (this.updateCertConfigFile) {
+					args.add("--cert-config-update");
+				}
 			}
 			args.add("--output-fed");
 			args.add(outFedFile.getPath());
diff --git a/src/main/resources/scripts/lib/buildfed.py b/src/main/resources/scripts/lib/buildfed.py
@@ -33,6 +33,8 @@ def main():
     parser.add_option("-c", "--config", dest="config_file_path", help="Path of JSON configuration file", metavar="FILEPATH")
     parser.add_option("--prop", dest="prop_file_path", help="Path of JSON property file [optional]", metavar="FILEPATH")
     parser.add_option("--cert", dest="cert_file_path", help="Path of JSON certificate configuration file [optional]", metavar="FILEPATH")
+    parser.add_option("--cert-expiration", dest="cert_expiration_days", help="Check if certificates expire within the next days [optional]", metavar="DAYS")
+    parser.add_option("--cert-config-update", dest="cert_config_update", help="Enable writing of info section for 'update' certificates within the configuration file [optional]", action="store_true")
     parser.add_option("--output-fed", dest="out_fed_file_path", help="Path of output deployment archive file (.fed) [optional]", metavar="FILEPATH")
     parser.add_option("--output-env", dest="out_env_file_path", help="Path of output environment archive file (.env) [optional]", metavar="FILEPATH")
     parser.add_option("-D", "--define", dest="sys_properties", help="Define a system property [multiple]", metavar="NAME:VALUE", action="append")
@@ -70,6 +72,12 @@ def main():
         if options.simulate:
             fed_config.enable_simulation_mode()
 
+        if options.cert_config_update:
+            fed_config.enable_cert_config_update()
+
+        if options.cert_expiration_days:
+            fed_config.set_cert_expiration_days(int(options.cert_expiration_days))
+
         for name, value in sys_properties.items():
             print "INFO : System property %s" % (name)
         fed_config.set_system_properties(sys_properties)
diff --git a/src/main/resources/scripts/lib/envconfig.py b/src/main/resources/scripts/lib/envconfig.py
@@ -2,6 +2,8 @@
 import os
 from com.vordel.es.xes import PortableESPKFactory;
 from java.text import SimpleDateFormat
+from java.util import Date
+from java.util.concurrent import TimeUnit
 
 class FieldKey:
     def __init__(self, entity_short_hand_key, field_name, field_index, field_type):
@@ -190,17 +192,38 @@ def get_password(self):
         return self.__password
 
 class CertInfo:
-    alias = None
-    subject = None
-    not_after = None
+    __alias = None
+    __subject = None
+    __not_after = None
     def __init__(self, alias, subject, not_after):
-        self.alias = alias
-        self.subject = subject
-        self.not_after = not_after
+        self.__alias = alias
+        self.__subject = subject
+        self.__not_after = not_after
+
+    def get_alias(self):
+        return self.__alias
+
+    def get_subject(self):
+        return self.__subject
 
     def get_info(self):
+        return {"info": {"subject": self.__subject, "not_after": self.format_not_after() }}
+    
+    def format_not_after(self):
+        """
+        Formats the expiration date/time of the certificate.
+        """
         df = SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssXXX")
-        return {"info": {"subject": self.subject, "not_after": df.format(self.not_after) }} 
+        return df.format(self.__not_after)
+
+    def expiration_in_days(self):
+        """
+        Return the number of days until the certificate expires.
+        If the certificate is already expired a negative number is returned.
+        """
+        now = Date()
+        diff = self.__not_after.getTime() - now.getTime()
+        return TimeUnit.DAYS.convert(diff, TimeUnit.MILLISECONDS)
 
 class CertConfig:
     __config_file_path = None
@@ -240,19 +263,19 @@ def set_cert_infos(self, cert_infos):
 
         # set certificate infos
         for info in cert_infos:
-            if info.alias in certificates:
-                certificates[info.alias]["origin"] = info.get_info()
+            if info.get_alias() in certificates:
+                certificates[info.get_alias()]["origin"] = info.get_info()
             else:
-                certificates[info.alias] = { "origin": info.get_info() }
+                certificates[info.get_alias()] = { "origin": info.get_info() }
         return
 
     def set_update_cert_infos(self, cert_infos):
         certificates = self.__config_json["certificates"]
 
         for info in cert_infos:
-            if info.alias in certificates:
-                if "update" in certificates[info.alias]:
-                    certificates[info.alias]["update"].update(info.get_info())
+            if info.get_alias() in certificates:
+                if "update" in certificates[info.get_alias()]:
+                    certificates[info.get_alias()]["update"].update(info.get_info())
         return
 
     def get_certificates(self):
diff --git a/src/main/resources/scripts/lib/fedconfig.py b/src/main/resources/scripts/lib/fedconfig.py
