Https support (#251)

Add HTTPS support

Author: BrandonArp

config/config.conf

@@ -6,6 +6,11 @@ pipelinesDirectory="config/pipelines"
 # ~~~~
 httpHost="0.0.0.0"
 httpPort=7090
+httpsHost="0.0.0.0"
+httpsPort=7091
+enableHttps=true
+#httpsCertificatePath=/opt/mad/tls/cert.pem
+#httpsKeyPath=/opt/mad/tls/key.pem
 #httpHealthCheckPath="/ping"
 #httpStatusPath="/status"
 #supplementalHttpRoutesClass="com.example.MyAkkaRoutes"

pom.xml

@@ -78,6 +78,7 @@
     <arpnetworking.commons.version>1.19.0</arpnetworking.commons.version>
     <aspectjrt.version>1.9.2</aspectjrt.version>
     <asynchttpclient.version>2.6.0</asynchttpclient.version>
+    <bouncy.castle.version>1.69</bouncy.castle.version>
     <cglib.version>3.3.0</cglib.version>
     <client.protocol.version>0.12.0</client.protocol.version>
     <fastutil.version>8.2.2</fastutil.version>
@@ -87,6 +88,7 @@
     <javassist.version>3.24.1-GA</javassist.version>
     <javassist.maven.core.version>0.2.2</javassist.maven.core.version>
     <jsr305.version>3.0.2</jsr305.version>
+    <kafka.client.version>2.2.1</kafka.client.version>
     <logback.version>1.2.3</logback.version>
     <logback.steno.version>1.18.2</logback.steno.version>
     <log4j.over.slf4j.version>1.7.25</log4j.over.slf4j.version>
@@ -458,6 +460,7 @@
                 <ports>
                   <port>+mad.ip:${debugJavaPort}:${debugJavaPort}</port>
                   <port>+mad.ip:7090:7090</port>
+                  <port>+mad.ip:7091:7091</port>
                   <port>+mad.ip:8125:8125/udp</port>
                 </ports>
                 <env>
@@ -920,7 +923,17 @@
     <dependency>
       <groupId>org.apache.kafka</groupId>
       <artifactId>kafka-clients</artifactId>
-      <version>2.2.1</version>
+      <version>${kafka.client.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>${bouncy.castle.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>${bouncy.castle.version}</version>
     </dependency>
   </dependencies>
 

src/main/docker/mad/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM openjdk:8u212-jre-alpine
+FROM openjdk:8u302-jre-slim
 
 MAINTAINER arpnetworking
 
@@ -30,10 +30,13 @@ ENV MAD_CONFIG="/opt/mad/config/config.conf"
 ENV JAVA_OPTS=""
 
 # Build
-RUN apk add --no-cache su-exec && \
+RUN apt update && \
+    apt install -y gosu openssl && \
     mkdir -p /opt/mad/lib/ext && \
     mkdir -p /opt/mad/logs && \
-    mkdir -p /opt/mad/config/pipelines
+    mkdir -p /opt/mad/config/pipelines && \
+    mkdir -p /opt/mad/tls && \
+    openssl req -x509 -newkey rsa:4096 -keyout /opt/mad/tls/key.pem -out /opt/mad/tls/cert.pem -days 3650 -nodes -addext "subjectAltName = DNS:localhost" -subj '/CN=localhost'
 ADD deps /opt/mad/lib/
 ADD bin /opt/mad/bin/
 ADD config /opt/mad/config/

src/main/java/com/arpnetworking/metrics/mad/Main.java

@@ -21,7 +21,9 @@
 import akka.actor.Props;
 import akka.actor.Terminated;
 import akka.dispatch.Dispatcher;
+import akka.http.javadsl.ConnectionContext;
 import akka.http.javadsl.Http;
+import akka.http.javadsl.HttpsConnectionContext;
 import akka.stream.Materializer;
 import ch.qos.logback.classic.LoggerContext;
 import com.arpnetworking.commons.builder.Builder;
@@ -51,6 +53,7 @@
 import com.arpnetworking.utility.Launchable;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.base.Charsets;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
@@ -61,13 +64,35 @@
 import com.typesafe.config.Config;
 import com.typesafe.config.ConfigFactory;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.util.io.pem.PemObject;
 import scala.concurrent.Await;
 import scala.concurrent.ExecutionContextExecutor;
 import scala.concurrent.Future;
 import scala.concurrent.duration.Duration;
 
+import java.io.ByteArrayInputStream;
 import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.net.URI;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -81,6 +106,9 @@
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
 import javax.annotation.Nullable;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 
 /**
  * Class containing entry point for Metrics Data Aggregator (MAD).
@@ -248,7 +276,73 @@ private void launchActors(final Injector injector) {
                 supplementalHttpRoutes.build());
         final Http http = Http.get(actorSystem);
 
-        http.newServerAt(_configuration.getHttpHost(), _configuration.getHttpPort()).bind(routes);
+        http.newServerAt(_configuration.getHttpHost(), _configuration.getHttpPort()).withMaterializer(materializer).bind(routes);
+        if (_configuration.getEnableHttps()) {
+            Security.addProvider(new BouncyCastleProvider());
+            final HttpsConnectionContext httpsContext = createHttpsContext();
+            http.newServerAt(_configuration.getHttpsHost(), _configuration.getHttpsPort())
+                    .withMaterializer(materializer).enableHttps(httpsContext)
+                    .bind(routes);
+        }
+    }
+
+    private HttpsConnectionContext createHttpsContext() {
+        final PrivateKey privateKey;
+        try (PEMParser keyReader = new PEMParser(
+                new InputStreamReader(
+                        new FileInputStream(_configuration.getHttpsKeyPath()), Charsets.UTF_8))) {
+            final Object keyObject = keyReader.readObject();
+
+            if (keyObject instanceof PrivateKeyInfo) {
+                final PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) keyObject;
+                privateKey = new JcaPEMKeyConverter().getPrivateKey(privateKeyInfo);
+            } else {
+                throw new RuntimeException(
+                        String.format("Invalid private key format, expected PEM private key, got %s", keyObject.getClass().getName()));
+            }
+        } catch (final FileNotFoundException e) {
+            throw new RuntimeException(String.format("Could not find https key file: %s", _configuration.getHttpsKeyPath()), e);
+        } catch (final IOException e) {
+            throw new RuntimeException(String.format("Error reading https key file: %s", _configuration.getHttpsKeyPath()), e);
+        }
+
+        final X509Certificate cert;
+        try (PEMParser certReader = new PEMParser(
+                new InputStreamReader(
+                        new FileInputStream(_configuration.getHttpsCertificatePath()), Charsets.UTF_8))) {
+            final PemObject certObject = certReader.readPemObject();
+            final CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certObject.getContent()));
+        } catch (final FileNotFoundException e) {
+            throw new RuntimeException(
+                    String.format("Could not find https certificate file: %s", _configuration.getHttpsCertificatePath()), e);
+        } catch (final IOException e) {
+            throw new RuntimeException(
+                    String.format("Error reading https certificate file: %s", _configuration.getHttpsCertificatePath()), e);
+        } catch (final CertificateException e) {
+            throw new RuntimeException("Error building X509 certificate", e);
+        }
+
+        try {
+            final KeyStore ks = KeyStore.getInstance("JKS");
+            ks.load(null, null);
+            ks.setCertificateEntry("cert", cert);
+
+            ks.setKeyEntry("key", privateKey, new char[0], new Certificate[]{cert});
+            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
+            keyManagerFactory.init(ks, new char[0]);
+
+            final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+            tmf.init(ks);
+
+            final SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
+            sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+
+            return ConnectionContext.httpsServer(sslContext);
+        } catch (final UnrecoverableKeyException | KeyManagementException | NoSuchAlgorithmException | IOException
+                | KeyStoreException | CertificateException e) {
+            throw new RuntimeException("Could not create SSLContext for https configuration", e);
+        }
     }
 
     @SuppressWarnings("deprecation")

src/main/java/com/arpnetworking/metrics/mad/configuration/AggregatorConfiguration.java

@@ -86,6 +86,26 @@ public int getHttpPort() {
         return _httpPort;
     }
 
+    public String getHttpsHost() {
+        return _httpsHost;
+    }
+
+    public int getHttpsPort() {
+        return _httpsPort;
+    }
+
+    public String getHttpsKeyPath() {
+        return _httpsKeyPath;
+    }
+
+    public String getHttpsCertificatePath() {
+        return _httpsCertificatePath;
+    }
+
+    public boolean getEnableHttps() {
+        return _enableHttps;
+    }
+
     public String getHttpHealthCheckPath() {
         return _httpHealthCheckPath;
     }
@@ -120,6 +140,11 @@ public String toString() {
                 .add("PipelinesDirectory", _pipelinesDirectory)
                 .add("HttpHost", _httpHost)
                 .add("HttpPort", _httpPort)
+                .add("HttpsHost", _httpsHost)
+                .add("HttpsPort", _httpsPort)
+                .add("HttpsKeyPath", _httpsKeyPath)
+                .add("HttpsCertificatePath", _httpsCertificatePath)
+                .add("EnableHttps", _enableHttps)
                 .add("HttpHealthCheckPath", _httpHealthCheckPath)
                 .add("HttpStatusPath", _httpStatusPath)
                 .add("SupplementalHttpRoutesClass", _supplementalHttpRoutesClass)
@@ -137,6 +162,11 @@ private AggregatorConfiguration(final Builder builder) {
         _pipelinesDirectory = builder._pipelinesDirectory;
         _httpHost = builder._httpHost;
         _httpPort = builder._httpPort;
+        _httpsHost = builder._httpsHost;
+        _httpsPort = builder._httpsPort;
+        _httpsKeyPath = builder._httpsKeyPath;
+        _httpsCertificatePath = builder._httpsCertificatePath;
+        _enableHttps = builder._enableHttps;
         _httpHealthCheckPath = builder._httpHealthCheckPath;
         _httpStatusPath = builder._httpStatusPath;
         _supplementalHttpRoutesClass = Optional.ofNullable(builder._supplementalHttpRoutesClass);
@@ -157,11 +187,16 @@ private AggregatorConfiguration(final Builder builder) {
     private final File _logDirectory;
     private final File _pipelinesDirectory;
     private final String _httpHost;
+    private final String _httpsHost;
     private final String _httpHealthCheckPath;
     private final String _httpStatusPath;
     private final int _httpPort;
+    private final int _httpsPort;
     private final Optional<Class<? extends SupplementalRoutes>> _supplementalHttpRoutesClass;
     private final boolean _logDeadLetters;
+    private final boolean _enableHttps;
+    private final String _httpsKeyPath;
+    private final String _httpsCertificatePath;
     private final Map<String, ?> _akkaConfiguration;
 
     private static final ObjectMapper OBJECT_MAPPER = ObjectMapperFactory.getInstance();
@@ -292,6 +327,17 @@ public Builder setHttpHost(final String value) {
             return this;
         }
 
+        /**
+         * The https host address to bind to. Cannot be null or empty.
+         *
+         * @param value The host address to bind to.
+         * @return This instance of {@link Builder}.
+         */
+        public Builder setHttpsHost(final String value) {
+            _httpsHost = value;
+            return this;
+        }
+
         /**
          * The http health check path. Cannot be null or empty. Optional. Default is "/ping".
          *
@@ -314,6 +360,28 @@ public Builder setHttpStatusPath(final String value) {
             return this;
         }
 
+        /**
+         * The location of the https key file. Cannot be null or empty. Optional. Default is "/opt/mad/tls/key.pem".
+         *
+         * @param value The path to the https key file
+         * @return This instance of {@link Builder}.
+         */
+        public Builder setHttpsKeyPath(final String value) {
+            _httpsKeyPath = value;
+            return this;
+        }
+
+        /**
+         * The location of the https certificate file. Cannot be null or empty. Optional. Default is "/opt/mad/tls/cert.pem".
+         *
+         * @param value The path to the https cert file
+         * @return This instance of {@link Builder}.
+         */
+        public Builder setHttpsCertificatePath(final String value) {
+            _httpsCertificatePath = value;
+            return this;
+        }
+
         /**
          * The http port to listen on. Cannot be null, must be between 1 and
          * 65535 (inclusive).
@@ -326,6 +394,29 @@ public Builder setHttpPort(final Integer value) {
             return this;
         }
 
+        /**
+         * The https port to listen on. Cannot be null, must be between 1 and
+         * 65535 (inclusive).
+         *
+         * @param value The port to listen on.
+         * @return This instance of {@link Builder}.
+         */
+        public Builder setHttpsPort(final Integer value) {
+            _httpsPort = value;
+            return this;
+        }
+
+        /**
+         * Whether to start the https server. Value cannot be null. Defaults to {@code false}
+         *
+         * @param value {@code True} if the https server should be enabled
+         * @return This instance of {@link Builder}.
+         */
+        public Builder setEnableHttps(final Boolean value) {
+            _enableHttps = value;
+            return this;
+        }
+
         /**
          * The supplemental routes class. Optional.
          *
@@ -397,6 +488,20 @@ public Builder setAkkaConfiguration(final Map<String, ?> value) {
         private Integer _httpPort;
         @NotNull
         @NotEmpty
+        private String _httpsHost;
+        @NotNull
+        @Range(min = 1, max = 65535)
+        private Integer _httpsPort;
+        @NotNull
+        @NotEmpty
+        private String _httpsKeyPath = "/opt/mad/tls/key.pem";
+        @NotNull
+        @NotEmpty
+        private String _httpsCertificatePath = "/opt/mad/tls/cert.pem";
+        @NotNull
+        private Boolean _enableHttps = false;
+        @NotNull
+        @NotEmpty
         private String _httpHealthCheckPath = "/ping";
         @NotNull
         @NotEmpty