#282 Can now insert host certificates into a certificate template

Author: rjrudin

src/main/java/com/marklogic/appdeployer/command/CommandMapBuilder.java

@@ -34,6 +34,7 @@
 import com.marklogic.appdeployer.command.security.DeployAmpsCommand;
 import com.marklogic.appdeployer.command.security.DeployCertificateAuthoritiesCommand;
 import com.marklogic.appdeployer.command.security.DeployCertificateTemplatesCommand;
+import com.marklogic.appdeployer.command.security.InsertCertificateHostsTemplateCommand;
 import com.marklogic.appdeployer.command.security.DeployExternalSecurityCommand;
 import com.marklogic.appdeployer.command.security.DeployPrivilegesCommand;
 import com.marklogic.appdeployer.command.security.DeployProtectedCollectionsCommand;
@@ -69,6 +70,7 @@ public Map<String, List<Command>> buildCommandMap() {
 		securityCommands.add(new DeployAmpsCommand());
 		securityCommands.add(new DeployCertificateTemplatesCommand());
 		securityCommands.add(new DeployCertificateAuthoritiesCommand());
+		securityCommands.add(new InsertCertificateHostsTemplateCommand());
 		securityCommands.add(new DeployExternalSecurityCommand());
 		securityCommands.add(new DeployPrivilegesCommand());
 		securityCommands.add(new DeployProtectedCollectionsCommand());

src/main/java/com/marklogic/appdeployer/command/SortOrderConstants.java

@@ -5,9 +5,11 @@ public abstract class SortOrderConstants {
     public static Integer DEPLOY_PRIVILEGES = 5;
     public static Integer DEPLOY_ROLES = 10;
     public static Integer DEPLOY_USERS = 15;
-    public static Integer DEPLOY_CERTIFICATE_TEMPLATES = 20;
-    public static Integer GENERATE_TEMPORARY_CERTIFICATE = 25;
-    public static Integer DEPLOY_CERTIFICATE_AUTHORITIES = 30;
+	public static Integer DEPLOY_CERTIFICATE_AUTHORITIES = 20;
+	public static Integer DEPLOY_CERTIFICATE_TEMPLATES = 24;
+	public static Integer GENERATE_TEMPORARY_CERTIFICATE = 25;
+	public static Integer INSERT_HOST_CERTIFICATES = 28;
+
     public static Integer DEPLOY_EXTERNAL_SECURITY = 35;
     public static Integer DEPLOY_PROTECTED_COLLECTIONS = 40;
     public static Integer DEPLOY_MIMETYPES = 45;

src/main/java/com/marklogic/appdeployer/command/databases/DeployDatabaseCommand.java

@@ -141,7 +141,7 @@ public void undo(CommandContext context) {
 
     /**
      * Creates and attaches sub-databases to a the specified database, making it a super-database.
-     * Note: Sub-databases are expected to have a configuration files in databases/subdatabases/<super-database-name>
+     * Note: Sub-databases are expected to have a configuration files in databases/subdatabases/super-database-name
      * @param dbMgr
      * @param context
      * @param superDatabaseName Name of the database the sub-databases are to be associated with

src/main/java/com/marklogic/appdeployer/command/security/InsertCertificateHostsTemplateCommand.java

@@ -0,0 +1,103 @@
+package com.marklogic.appdeployer.command.security;
+
+import java.io.File;
+import java.util.List;
+
+import com.marklogic.appdeployer.ConfigDir;
+import com.marklogic.appdeployer.command.AbstractCommand;
+import com.marklogic.appdeployer.command.CommandContext;
+import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.mgmt.resource.security.CertificateTemplateManager;
+
+/**
+ * Inserts host certificates for each certificate template returned by the Manage API. Host certificates are inserted
+ * via the endpoint at http://docs.marklogic.com/REST/POST/manage/v2/certificate-templates/[id-or-name]#insertHC .
+ *
+ * To allow for host certificates to be associated with a certificate template, this command expects to find host
+ * certificates in a directory named "(configuration directory)/security/certificate-templates/host-certificates/(name of template)/".
+ *
+ * The public certificate file must be a PEM-formatted file with a file extension of ".crt". And the private key file must
+ * be a PEM-formatted file with a file extension of ".key".
+ */
+public class InsertCertificateHostsTemplateCommand extends AbstractCommand {
+
+	private String publicCertificateFileExtension = ".crt";
+	private String privateKeyFileExtension = ".key";
+
+	public InsertCertificateHostsTemplateCommand() {
+		setExecuteSortOrder(SortOrderConstants.INSERT_HOST_CERTIFICATES);
+	}
+
+	@Override
+	public void execute(CommandContext context) {
+		List<String> templateNames = new CertificateTemplateManager(context.getManageClient()).getAsXml().getListItemNameRefs();
+		if (templateNames != null && !templateNames.isEmpty()) {
+			if (logger.isInfoEnabled()) {
+				logger.info("Looking for host certificates to insert for certificate templates: " + templateNames);
+			}
+			for (String templateName : templateNames) {
+				insertHostCertificatesForTemplate(context, templateName);
+			}
+		}
+	}
+
+    /**
+     * Looks for host certificates for the given template name.
+     *
+     * @param context
+     * @param templateName Name of the template the host certificates should be inserted into
+     */
+    protected void insertHostCertificatesForTemplate(CommandContext context, String templateName) {
+		for (ConfigDir configDir : context.getAppConfig().getConfigDirs()) {
+			File hostCertDir = new File(configDir.getCertificateTemplatesDir() + File.separator + "host-certificates" + File.separator + templateName);
+			logger.info(format("Looking for host certificate files ending in '%s' for template '%s' in: %s", publicCertificateFileExtension, templateName, hostCertDir.getAbsolutePath()));
+			if (hostCertDir.exists()){
+				for (File f : hostCertDir.listFiles()) {
+					if (f.getName().endsWith(publicCertificateFileExtension)) {
+						File privateKeyFile = determinePrivateKeyFile(f);
+						if (privateKeyFile.exists()) {
+							logger.info("Found public certificate file at: " + f.getAbsolutePath() + ", and found corresponding private key file at: " + privateKeyFile.getAbsolutePath());
+							this.insertHostCertificate(context, templateName, f, privateKeyFile);
+						} else {
+							logger.warn("Did not find expected private key file at: " + privateKeyFile.getAbsolutePath() + "; will ignore " +
+								"public certificate file found at: " + f.getAbsolutePath());
+						}
+					}
+				}
+			}
+		}
+	 }
+
+	 protected File determinePrivateKeyFile(File publicCertificateFile) {
+    	String path = publicCertificateFile.getAbsolutePath();
+    	return new File(path.substring(0, path.length() - publicCertificateFileExtension.length()) + privateKeyFileExtension);
+	 }
+
+	/**
+	 * @param context
+	 * @param templateName The name of the certificate template that the host certificate will be inserted into
+	 * @param publicCertFile
+	 * @param privateKeyFile
+	 */
+	protected void insertHostCertificate(CommandContext context, String templateName, File publicCertFile, File privateKeyFile) {
+		CertificateTemplateManager mgr = new CertificateTemplateManager(context.getManageClient());
+		if (!mgr.certificateExists(templateName)) {
+			logger.info(format("Inserting host certificate for certificate template '%s'", templateName));
+			String pubCertString = copyFileToString(publicCertFile);
+			String privateKeyString = copyFileToString(privateKeyFile);
+			mgr.insertHostCertificate(templateName, pubCertString, privateKeyString);
+			logger.info(format("Inserted host certificate for certificate template '%s'", templateName));
+		} else {
+			logger.info(format("Host certificate already exists for certificate template '%s', so not inserting host certificate found at: %s",
+				templateName, publicCertFile.getAbsolutePath()));
+		}
+	}
+
+	public void setPublicCertificateFileExtension(String publicCertificateFileExtension) {
+		this.publicCertificateFileExtension = publicCertificateFileExtension;
+	}
+
+	public void setPrivateKeyFileExtension(String privateKeyFileExtension) {
+		this.privateKeyFileExtension = privateKeyFileExtension;
+	}
+}

src/main/java/com/marklogic/appdeployer/export/security/UserExporter.java

@@ -45,7 +45,6 @@ protected String[] getExportMessages() {
 	 * allows the user to be immediately deployed, and the developer can then change the password to a real one at a
 	 * later date.
 	 *
-	 * @param resourceName
 	 * @param payload
 	 * @return
 	 */

src/main/java/com/marklogic/mgmt/resource/security/CertificateTemplateManager.java

@@ -1,10 +1,12 @@
 package com.marklogic.mgmt.resource.security;
 
+import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.marklogic.mgmt.ManageClient;
 import com.marklogic.mgmt.resource.AbstractResourceManager;
 import com.marklogic.mgmt.util.ObjectMapperFactory;
 import com.marklogic.rest.util.Fragment;
+
 import org.springframework.http.ResponseEntity;
 
 /**
@@ -72,10 +74,60 @@ public ResponseEntity<String> generateTemporaryCertificate(String templateIdOrNa
                     json));
         }
         return postPayload(getManageClient(), getResourcePath(templateIdOrName), json);
-    }
+	 }
+
+	/**
+	 * Inserts a host certificate for a given template.
+	 *
+	 * Even though service allows multiple inserts in one call, this only inserts one host cert at a time.
+	 *
+	 * Note that the docs as of ML 9.0-5 are not correct for this operation - this method submits the correct JSON
+	 * structure.
+	 *
+	 * @param templateIdOrName The template name to insert the host certificates
+	 * @param pubCert the Public PEM formatted certificate
+	 * @param privateKey the Private PEM formatted certificate
+	 */
+	public ResponseEntity<String> insertHostCertificate(String templateIdOrName, String pubCert, String privateKey) {
+		ObjectNode command = ObjectMapperFactory.getObjectMapper().createObjectNode();
+		command.put("operation", "insert-host-certificates");
+		ArrayNode certs = ObjectMapperFactory.getObjectMapper().createArrayNode();
+
+		ObjectNode certificate = ObjectMapperFactory.getObjectMapper().createObjectNode();
+		ObjectNode cert = ObjectMapperFactory.getObjectMapper().createObjectNode();
+
+		certificate.put("cert", pubCert);
+		certificate.put("pkey", privateKey);
+		cert.set("certificate", certificate);
+		certs.add(cert);
+
+		command.set("certificates", certs);
+
+		String json = command.toString();
+		if (logger.isInfoEnabled()) {
+			// NOTE - should NOT print out private key - EVER
+			logger.info(format("Inserting host certificate for template %s", templateIdOrName));
+		}
+		return postPayload(getManageClient(), getResourcePath(templateIdOrName), json);
+	}
+
+	/**
+	 * Utility service to determine if certificates exist for a template.
+	 *
+	 * Used because ML9.0-5 (and prior) has bug for "needs-certificate" call
+	 */
+	public boolean certificateExists(String templateIdOrName) {
+		Fragment response = getCertificatesForTemplate(templateIdOrName);
+		if (logger.isDebugEnabled()) {
+			logger.debug(format("Checking if %s template has certificates --> for template: %s", templateIdOrName, response.getPrettyXml()));
+		}
+
+		return response.elementExists("/msec:certificate-list/msec:certificate");
+	}
 
     public Fragment getCertificatesForTemplate(String templateIdOrName) {
         ObjectNode node = ObjectMapperFactory.getObjectMapper().createObjectNode();
+        // Note the docs in ML 9.0-5 have a typo - it's "certificates", not "certificate"
         node.put("operation", "get-certificates-for-template");
 
         String json = node.toString();

src/main/java/com/marklogic/rest/util/Fragment.java

@@ -29,19 +29,21 @@ public Fragment(String xml, Namespace... namespaces) {
         try {
             internalDoc = new SAXBuilder().build(new StringReader(xml));
             List<Namespace> list = new ArrayList<Namespace>();
+	        list.add(Namespace.getNamespace("arp", "http://marklogic.com/manage/alert-rule/properties"));
             list.add(Namespace.getNamespace("c", "http://marklogic.com/manage/clusters"));
+	        list.add(Namespace.getNamespace("cert", "http://marklogic.com/xdmp/x509"));
             list.add(Namespace.getNamespace("db", "http://marklogic.com/manage/databases"));
             list.add(Namespace.getNamespace("es", "http://marklogic.com/entity-services"));
             list.add(Namespace.getNamespace("f", "http://marklogic.com/manage/forests"));
 	        list.add(Namespace.getNamespace("g", "http://marklogic.com/manage/groups"));
 	        list.add(Namespace.getNamespace("h", "http://marklogic.com/manage/hosts"));
             list.add(Namespace.getNamespace("m", "http://marklogic.com/manage"));
-            list.add(Namespace.getNamespace("s", "http://marklogic.com/manage/servers"));
             list.add(Namespace.getNamespace("msec", "http://marklogic.com/manage/security"));
+	        list.add(Namespace.getNamespace("pki", "http://marklogic.com/xdmp/pki"));
+	        list.add(Namespace.getNamespace("req", "http://marklogic.com/manage/requests"));
+	        list.add(Namespace.getNamespace("s", "http://marklogic.com/manage/servers"));
             list.add(Namespace.getNamespace("sec", "http://marklogic.com/xdmp/security"));
-            list.add(Namespace.getNamespace("arp", "http://marklogic.com/manage/alert-rule/properties"));
 			list.add(Namespace.getNamespace("ts", "http://marklogic.com/manage/task-server"));
-			list.add(Namespace.getNamespace("req", "http://marklogic.com/manage/requests"));
 	        list.add(Namespace.getNamespace("t", "http://marklogic.com/manage/tasks"));
             for (Namespace n : namespaces) {
                 list.add(n);

src/test/java/com/marklogic/appdeployer/command/security/InsertHostCertificateTest.java

@@ -0,0 +1,55 @@
+package com.marklogic.appdeployer.command.security;
+
+import com.marklogic.appdeployer.AbstractAppDeployerTest;
+import com.marklogic.appdeployer.ConfigDir;
+import com.marklogic.mgmt.resource.security.CertificateTemplateManager;
+import com.marklogic.rest.util.Fragment;
+import org.junit.Test;
+
+import java.io.File;
+import java.util.List;
+
+
+public class InsertHostCertificateTest extends AbstractAppDeployerTest {
+
+	private final static String TEMPLATE_NAME = "sample-app-certificate-template";
+
+	@Test
+	public void test() {
+		appConfig.setConfigDir(new ConfigDir(new File("src/test/resources/sample-app/host-certificates")));
+
+		initializeAppDeployer(
+			new DeployCertificateAuthoritiesCommand(),
+			new DeployCertificateTemplatesCommand(),
+			new InsertCertificateHostsTemplateCommand());
+
+		CertificateTemplateManager mgr = new CertificateTemplateManager(manageClient);
+
+		try {
+			deploySampleApp();
+			verifyHostCertificateWasInserted(mgr);
+
+			// Make sure nothing breaks by deploying it again
+			deploySampleApp();
+			verifyHostCertificateWasInserted(mgr);
+		} finally {
+			/**
+			 * TODO Deleting certificate authorities in ML 9.0-5 via the Manage API doesn't appear to be working, so
+			 * the certificate authority that's created by this class is left over.
+			 */
+			undeploySampleApp();
+
+			List<String> templateNames = mgr.getAsXml().getListItemNameRefs();
+			assertFalse(templateNames.contains(TEMPLATE_NAME));
+		}
+	}
+
+	private void verifyHostCertificateWasInserted(CertificateTemplateManager mgr) {
+		List<String> templateNames = mgr.getAsXml().getListItemNameRefs();
+		assertTrue(templateNames.contains(TEMPLATE_NAME));
+
+		Fragment xml = mgr.getCertificatesForTemplate(TEMPLATE_NAME);
+		assertEquals("host1.marklogic.com", xml.getElementValue("/msec:certificate-list/msec:certificate/msec:host-name"));
+		assertEquals("MarkLogicBogusCA", xml.getElementValue("/msec:certificate-list/msec:certificate/cert:cert/cert:issuer/cert:commonName"));
+	}
+}

src/test/resources/sample-app/host-certificates/security/certificate-authorities/MarkLogicBogusCA.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIETjCCAzagAwIBAgIJAOLo8uCav9wyMA0GCSqGSIb3DQEBBAUAMHUxEzARBgoJ
+kiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFgltYXJrbG9naWMxEjAQBgNV
+BAoTCU1hcmtMb2dpYzEUMBIGA1UECxMLYXBwZGVwbG95ZXIxGTAXBgNVBAMTEE1h
+cmtMb2dpY0JvZ3VzQ0EwHhcNMTgwNjE1MDAyNDUyWhcNMjEwNjE0MDAyNDUyWjB1
+MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWFya2xvZ2lj
+MRIwEAYDVQQKEwlNYXJrTG9naWMxFDASBgNVBAsTC2FwcGRlcGxveWVyMRkwFwYD
+VQQDExBNYXJrTG9naWNCb2d1c0NBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAr7PJ0JNIomzSsfpJAJNNGzu5c+mFPWQCleDdcXfTc9gKJ36F/pxi6Gf4
+KNmFq3hiXXG1mZUw/TqWMHNOlAd/PcNGd8B3kLYBMQc3zRmgPpUz+KB2IQuvbf3f
+y98V7Ti/68vmlpVId6a9SPIIIpyE8g3m76BgfYchAv7HDRtSLa1GuZcLoWyFfHcU
+Ec/De4z5E6Icl095nsNBPCtb1EwgmToMeiHK7HJFDtwVLoZSNkkYCLC91CJv2pbM
+5xh+9AZDpNyO721VFoICAQ8Z4wUQ3YKy7wZIEpXTaqVcd0BK2nIzCfNRQdsg0yvS
+DNg2wTxQOWhzdRdy4qmk50pNG8orfwIDAQABo4HgMIHdMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFEe+Lt2Ht7lPuF3nfHPtEBFwGzG1MIGnBgNVHSMEgZ8w
+gZyAFEe+Lt2Ht7lPuF3nfHPtEBFwGzG1oXmkdzB1MRMwEQYKCZImiZPyLGQBGRYD
+Y29tMRkwFwYKCZImiZPyLGQBGRYJbWFya2xvZ2ljMRIwEAYDVQQKEwlNYXJrTG9n
+aWMxFDASBgNVBAsTC2FwcGRlcGxveWVyMRkwFwYDVQQDExBNYXJrTG9naWNCb2d1
+c0NBggkA4ujy4Jq/3DIwDQYJKoZIhvcNAQEEBQADggEBAFcuLBC1SNtAQWqWOQ8d
+xJFIHjTVLsVTjdhM90cqJwcyuvn6njDJOUvL1phNM982rF3xaeNsRJ6MPmOaZCf6
+qH4ttYpKXGG9kh4ZDO8Uv3nlGq+5LEkPhqeAjvTcWDkds50aWUDbdD7LPN6P4F0Z
+DSeWfcchWbvcFuv9/89MFZe1AY3jGs09DPN33IYnSspVU0fwChwthSzBbnGlcOk6
+W3lXf8thj5c60rV6VXD7pJG/KsEcuIlorwoV2/1N1PafjSi3GQUVdOhrY0YCSHkt
+uATrgrFzA0e44kPGPUVosv37TZe4SKAQgcmrDIhr3fMU1b4LOG+mJc+tcf+HEfMn
+6ZY=
+-----END CERTIFICATE-----

src/test/resources/sample-app/host-certificates/security/certificate-templates/host-certificates/sample-app-certificate-template/README.md

@@ -0,0 +1,2 @@
+The host2.marklogic.com.crt file exists to verify that no error occurs when a corresponding 
+key file cannot be found.