Merge pull request #268 from adrienlauer/truststore

Allow to configure truststore separately

Author: adrienlauer

CHANGELOG.md

@@ -1,7 +1,10 @@
-# Version 3.8.6 (2019-07-30)
+# Version 3.9.0 (2019-08-12)
 
 * [new] Introduce the `diag` tool to manually write a diagnostic report to standard output or in a file.
 * [new] Enable configuration of Undertow error pages for specific HTTP codes or exceptions as well as a default error page (`web.server.errorPages` config).
+* [new] SSL truststore can be configured separately from the master keystore (if no configuration it will default to the Java default truststore).
+* [new] A custom X509KeyManager can now be configured to allow control of the chosen key material during SSL handshake.
+* [brk] Plain file X509 certificates (outside a keystore) can no longer be configured as it is less secure and not so useful.
 
 # Version 3.8.5 (2019-03-22)
 

cli/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>org.seedstack.seed</groupId>
         <artifactId>seed</artifactId>
-        <version>3.8.6-SNAPSHOT</version>
+        <version>3.9.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>seed-cli</artifactId>

core/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>org.seedstack.seed</groupId>
         <artifactId>seed</artifactId>
-        <version>3.8.6-SNAPSHOT</version>
+        <version>3.9.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>seed-core</artifactId>

core/src/main/java/org/seedstack/seed/core/internal/BindingDefinition.java

@@ -23,7 +23,7 @@ class BindingDefinition<T> extends Bindable<T> {
         this.from = from;
     }
 
-    public void apply(Binder binder) {
+    void apply(Binder binder) {
         if (from != null) {
             AnnotatedBindingBuilder<T> bind = binder.bind(from);
             if (!from.isAssignableFrom(target)) {

core/src/main/java/org/seedstack/seed/core/internal/CoreModule.java

@@ -12,30 +12,19 @@
 import com.google.inject.Module;
 import java.util.Collection;
 import java.util.Set;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 class CoreModule extends AbstractModule {
-    private final Logger LOGGER = LoggerFactory.getLogger(CoreModule.class);
     private final Collection<? extends Module> modules;
     private final Set<Bindable> bindings;
-    private final boolean overriding;
 
-    CoreModule(Collection<? extends Module> modules, Set<Bindable> bindings, boolean overriding) {
+    CoreModule(Collection<? extends Module> modules, Set<Bindable> bindings) {
         this.modules = modules;
         this.bindings = bindings;
-        this.overriding = overriding;
     }
 
     @Override
     protected void configure() {
-        modules.forEach(module -> {
-            LOGGER.trace("Installing module {}", module.getClass().getName());
-            install(module);
-        });
-        LOGGER.debug("Installed {}{} module(s)", modules.size(), overriding ? " overriding" : "");
-
+        modules.forEach(this::install);
         bindings.forEach(binding -> binding.apply(binder()));
-        LOGGER.debug("Created {}{} binding(s)", bindings.size(), overriding ? " overriding" : "");
     }
 }

core/src/main/java/org/seedstack/seed/core/internal/CorePlugin.java

@@ -21,12 +21,15 @@
 import org.kametic.specifications.Specification;
 import org.seedstack.seed.core.internal.utils.SpecificationBuilder;
 import org.seedstack.shed.reflect.Classes;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Core plugin that configures base package roots and detects diagnostic collectors, dependency providers, Guice modules
  * and configuration files.
  */
 public class CorePlugin extends AbstractSeedPlugin {
+    private static final Logger LOGGER = LoggerFactory.getLogger(CorePlugin.class);
     static final String AUTODETECT_MODULES_KERNEL_PARAM = "seedstack.autodetectModules";
     static final String AUTODETECT_BINDINGS_KERNEL_PARAM = "seedstack.autodetectBindings";
     private static final String SEEDSTACK_PACKAGE = "org.seedstack";
@@ -82,8 +85,10 @@ private void detectModules(InitContext initContext) {
                 .forEach(candidate -> InstallResolver.INSTANCE.apply(candidate).ifPresent(annotation -> {
                     if (annotation.override()) {
                         overridingModules.add((Class<? extends Module>) candidate);
+                        LOGGER.debug("Overriding module {} detected", candidate.getName());
                     } else {
                         modules.add((Class<? extends Module>) candidate);
+                        LOGGER.debug("Module {} detected", candidate.getName());
                     }
                 }));
     }
@@ -97,11 +102,13 @@ private void detectBindings(InitContext initContext) {
                                 candidate,
                                 (Class<Object>) (annotation.from() == Object.class ? null : annotation.from())
                         ));
+                        LOGGER.debug("Overriding explicit binding for {} detected", candidate.getName());
                     } else {
                         bindings.add(new BindingDefinition<>(
                                 candidate,
                                 (Class<Object>) (annotation.from() == Object.class ? null : annotation.from())
                         ));
+                        LOGGER.debug("Explicit binding for {} detected", candidate.getName());
                     }
                 }));
     }
@@ -122,17 +129,15 @@ private void detectProviders(InitContext initContext) {
     public Object nativeUnitModule() {
         return new CoreModule(
                 modules.stream().map(Classes::instantiateDefault).collect(Collectors.toSet()),
-                bindings,
-                false
+                bindings
         );
     }
 
     @Override
     public Object nativeOverridingUnitModule() {
         return new CoreModule(
                 overridingModules.stream().map(Classes::instantiateDefault).collect(Collectors.toSet()),
-                overridingBindings,
-                true
+                overridingBindings
         );
     }
 }

core/src/main/java/org/seedstack/seed/core/internal/command/CommandPlugin.java

@@ -5,6 +5,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.core.internal.command;
 
 import static org.seedstack.shed.reflect.ReflectUtils.makeAccessible;
@@ -66,12 +67,11 @@ public InitState initialize(InitContext initContext) {
                     }
 
                     commandDefinitions.put(commandDefinition.getQualifiedName(), commandDefinition);
-                    LOGGER.trace("Command {} registered with {}", commandDefinition.getQualifiedName(),
+                    LOGGER.debug("Command {} detected, implemented in {}", commandDefinition.getQualifiedName(),
                             commandDefinition.getCommandActionClass().getCanonicalName());
                 }
             }
         }
-        LOGGER.debug("Registered " + commandDefinitions.size() + " command(s)");
 
         return InitState.INITIALIZED;
     }

core/src/main/java/org/seedstack/seed/core/internal/configuration/ConfigurationPlugin.java

@@ -103,6 +103,13 @@ public Collection<ClasspathScanRequest> classpathScanRequests() {
     @SuppressWarnings("unchecked")
     @Override
     public InitState init(InitContext initContext) {
+        Set<String> activeProfiles = ProfileProcessor.activeProfiles();
+        if (activeProfiles.isEmpty()) {
+            LOGGER.info("No configuration profile is active");
+        } else {
+            LOGGER.info("Active configuration profile(s): {}", String.join(", ", activeProfiles));
+        }
+
         detectKernelParamConfig(initContext);
         detectConfigurationFiles(initContext);
 

core/src/main/java/org/seedstack/seed/core/internal/configuration/ProfileProcessor.java

@@ -5,6 +5,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.core.internal.configuration;
 
 import com.google.common.base.Strings;
@@ -29,7 +30,7 @@ public class ProfileProcessor implements ConfigurationProcessor {
 
     @Override
     public void process(MapNode configuration) {
-        Set<String> activeProfiles = parseProfiles(System.getProperty(SEEDSTACK_PROFILES_PROPERTY, ""));
+        Set<String> activeProfiles = activeProfiles();
         Map<MapNode, List<String>> toRemove = new HashMap<>();
         Map<TreeNode, Map<String, String>> moves = new HashMap<>();
 
@@ -59,10 +60,14 @@ public void process(MapNode configuration) {
         }
     }
 
-    private Set<String> parseProfiles(String value) {
+    private static Set<String> parseProfiles(String value) {
         return Arrays.stream(value.split(","))
                 .map(String::trim)
                 .filter(notNullOrEmpty)
                 .collect(Collectors.toSet());
     }
+
+    static Set<String> activeProfiles() {
+        return parseProfiles(System.getProperty(SEEDSTACK_PROFILES_PROPERTY, ""));
+    }
 }

core/src/main/java/org/seedstack/seed/core/internal/crypto/CryptTool.java

@@ -5,16 +5,16 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
+
 package org.seedstack.seed.core.internal.crypto;
 
-import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
+import static org.seedstack.seed.core.internal.crypto.CryptoPlugin.getMasterEncryptionService;
+
 import com.google.common.io.BaseEncoding;
 import io.nuun.kernel.api.plugin.InitState;
 import io.nuun.kernel.api.plugin.context.InitContext;
 import java.nio.charset.Charset;
 import java.security.KeyStore;
-import java.util.Collection;
 import org.seedstack.seed.SeedException;
 import org.seedstack.seed.cli.CliArgs;
 import org.seedstack.seed.cli.CliOption;
@@ -25,7 +25,7 @@
 public class CryptTool extends AbstractSeedTool {
     private EncryptionServiceFactory encryptionServiceFactory;
     private CryptoConfig.KeyStoreConfig masterKeyStoreConfig;
-    @CliOption(name = "a", longName = "alias", valueCount = 1, mandatory = true)
+    @CliOption(name = "a", longName = "alias", valueCount = 1, defaultValues = "master")
     private String alias;
     @CliOption(name = "e", longName = "encoding", valueCount = 1, defaultValues = "utf-8")
     private String encoding;
@@ -38,34 +38,28 @@ public String toolName() {
     }
 
     @Override
-    protected Collection<Class<?>> toolPlugins() {
-        return Lists.newArrayList(CryptoPlugin.class);
+    protected InitState initialize(InitContext initContext) {
+        getConfiguration().getOptional(CryptoConfig.KeyStoreConfig.class, "crypto.keystores.master").ifPresent(cfg -> {
+            KeyStore keyStore = new KeyStoreLoader().load(CryptoConfig.MASTER_KEY_STORE_NAME, cfg);
+            encryptionServiceFactory = new EncryptionServiceFactory(keyStore);
+            masterKeyStoreConfig = cfg;
+        });
+        return InitState.INITIALIZED;
     }
 
     @Override
-    protected InitState initialize(InitContext initContext) {
-        CryptoConfig cryptoConfig = getConfiguration(CryptoConfig.class);
-        masterKeyStoreConfig = cryptoConfig.masterKeyStore();
-        if (masterKeyStoreConfig != null) {
-            KeyStore keyStore = new KeyStoreLoader().load(CryptoConfig.MASTER_KEY_STORE_NAME, masterKeyStoreConfig);
-            encryptionServiceFactory = new EncryptionServiceFactory(cryptoConfig, keyStore);
-        } else {
-            encryptionServiceFactory = null;
-        }
-        return InitState.INITIALIZED;
+    public StartMode startMode() {
+        return StartMode.MINIMAL;
     }
 
     @Override
-    public Integer call() throws Exception {
+    public Integer call() {
         if (encryptionServiceFactory == null) {
             throw SeedException.createNew(CryptoErrorCode.MISSING_MASTER_KEYSTORE);
         }
-        CryptoConfig.KeyStoreConfig.AliasConfig aliasConfig = masterKeyStoreConfig.getAliases().get(alias);
-        if (aliasConfig == null || Strings.isNullOrEmpty(aliasConfig.getPassword())) {
-            throw SeedException.createNew(CryptoErrorCode.MISSING_MASTER_KEY_PASSWORD);
-        }
-        EncryptionService encryptionService = encryptionServiceFactory.create(alias,
-                aliasConfig.getPassword().toCharArray());
+        EncryptionService encryptionService = getMasterEncryptionService(encryptionServiceFactory,
+                masterKeyStoreConfig,
+                alias);
         System.out.println(
                 BaseEncoding.base16().encode(
                         encryptionService.encrypt(