#419: Deploying certificate templates now accounts for hostname

Author: rjrudin

src/main/java/com/marklogic/appdeployer/command/AbstractCommand.java

@@ -199,7 +199,6 @@ protected boolean resourceMergingIsSupported(CommandContext context) {
 	 * an ObjectNode, which is the preferred data structure for merging resources together, and then stashing that
 	 * ObjectNode in the CommandContext map.
 	 *
-	 * @return
 	 */
 	protected void storeResourceInCommandContextMap(CommandContext context, File resourceFile, String payload) {
 		final String contextKey = getContextKeyForResourcesToSave();

src/main/java/com/marklogic/appdeployer/command/security/InsertCertificateHostsTemplateCommand.java

@@ -1,21 +1,24 @@
 package com.marklogic.appdeployer.command.security;
 
-import java.io.File;
-import java.util.List;
-
 import com.marklogic.appdeployer.ConfigDir;
 import com.marklogic.appdeployer.command.AbstractCommand;
 import com.marklogic.appdeployer.command.CommandContext;
 import com.marklogic.appdeployer.command.SortOrderConstants;
+import com.marklogic.mgmt.ManageClient;
 import com.marklogic.mgmt.resource.security.CertificateTemplateManager;
+import org.springframework.util.FileCopyUtils;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
 
 /**
  * Inserts host certificates for each certificate template returned by the Manage API. Host certificates are inserted
  * via the endpoint at http://docs.marklogic.com/REST/POST/manage/v2/certificate-templates/[id-or-name]#insertHC .
- *
+ * <p>
  * To allow for host certificates to be associated with a certificate template, this command expects to find host
  * certificates in a directory named "(configuration directory)/security/certificate-templates/host-certificates/(name of template)/".
- *
+ * <p>
  * The public certificate file must be a PEM-formatted file with a file extension of ".crt". And the private key file must
  * be a PEM-formatted file with a file extension of ".key".
  */
@@ -41,17 +44,17 @@ public void execute(CommandContext context) {
 		}
 	}
 
-    /**
-     * Looks for host certificates for the given template name.
-     *
-     * @param context
-     * @param templateName Name of the template the host certificates should be inserted into
-     */
-    protected void insertHostCertificatesForTemplate(CommandContext context, String templateName) {
+	/**
+	 * Looks for host certificates for the given template name.
+	 *
+	 * @param context
+	 * @param templateName Name of the template the host certificates should be inserted into
+	 */
+	protected void insertHostCertificatesForTemplate(CommandContext context, String templateName) {
 		for (ConfigDir configDir : context.getAppConfig().getConfigDirs()) {
 			File hostCertDir = new File(configDir.getCertificateTemplatesDir() + File.separator + "host-certificates" + File.separator + templateName);
 			logger.info(format("Looking for host certificate files ending in '%s' for template '%s' in: %s", publicCertificateFileExtension, templateName, hostCertDir.getAbsolutePath()));
-			if (hostCertDir.exists()){
+			if (hostCertDir.exists()) {
 				for (File f : hostCertDir.listFiles()) {
 					if (f.getName().endsWith(publicCertificateFileExtension)) {
 						File privateKeyFile = determinePrivateKeyFile(f);
@@ -66,33 +69,113 @@ protected void insertHostCertificatesForTemplate(CommandContext context, String
 				}
 			}
 		}
-	 }
+	}
 
-	 protected File determinePrivateKeyFile(File publicCertificateFile) {
-    	String path = publicCertificateFile.getAbsolutePath();
-    	return new File(path.substring(0, path.length() - publicCertificateFileExtension.length()) + privateKeyFileExtension);
-	 }
+	protected File determinePrivateKeyFile(File publicCertificateFile) {
+		String path = publicCertificateFile.getAbsolutePath();
+		return new File(path.substring(0, path.length() - publicCertificateFileExtension.length()) + privateKeyFileExtension);
+	}
 
 	/**
 	 * @param context
-	 * @param templateName The name of the certificate template that the host certificate will be inserted into
+	 * @param templateName   The name of the certificate template that the host certificate will be inserted into
+	 *                       Assumes filename is hostname + .crt: ex: host1.marklogic.com.crt
 	 * @param publicCertFile
 	 * @param privateKeyFile
 	 */
 	protected void insertHostCertificate(CommandContext context, String templateName, File publicCertFile, File privateKeyFile) {
-		CertificateTemplateManager mgr = new CertificateTemplateManager(context.getManageClient());
-		if (!mgr.certificateExists(templateName)) {
+		if (!certificateExists(templateName, publicCertFile, context.getManageClient())) {
 			logger.info(format("Inserting host certificate for certificate template '%s'", templateName));
 			String pubCertString = copyFileToString(publicCertFile);
 			String privateKeyString = copyFileToString(privateKeyFile);
-			mgr.insertHostCertificate(templateName, pubCertString, privateKeyString);
+			new CertificateTemplateManager(context.getManageClient()).insertHostCertificate(templateName, pubCertString, privateKeyString);
 			logger.info(format("Inserted host certificate for certificate template '%s'", templateName));
 		} else {
 			logger.info(format("Host certificate already exists for certificate template '%s', so not inserting host certificate found at: %s",
 				templateName, publicCertFile.getAbsolutePath()));
 		}
 	}
 
+	/**
+	 * @param templateName
+	 * @param publicCertFile
+	 * @param manageClient
+	 * @return
+	 */
+	protected boolean certificateExists(String templateName, File publicCertFile, ManageClient manageClient) {
+		CertificateTemplateManager mgr = new CertificateTemplateManager(manageClient);
+
+		String hostName = null;
+		try {
+			hostName = getCertificateHostName(publicCertFile, manageClient);
+		} catch (Exception ex) {
+			logger.warn("Unable to determine host name for public certificate file: " + publicCertFile + "; cause: " + ex.getMessage() +
+				". Due to this, the check to determine if the certificate exists already will not include a host name but will only be " +
+				"based on the name of the template.");
+		}
+
+		if (hostName != null) {
+			logger.info(format("Checking for existing certificate with name '%s' and host name '%s'", templateName, hostName));
+			return mgr.certificateExists(templateName, hostName);
+		}
+
+		// This is very unexpected, as it would mean that the /v1/eval query was not able to extract a host name
+		logger.info(format("Could not determine host name, so checking for existing certificate with name '%s'", templateName));
+		return mgr.certificateExists(templateName);
+	}
+
+	/**
+	 * Uses the /v1/eval endpoint on the Manage server to extract the host name from the given public certificate file.
+	 *
+	 * @param publicCertFile
+	 * @param manageClient
+	 * @return
+	 */
+	protected String getCertificateHostName(File publicCertFile, ManageClient manageClient) {
+		final String query = makeQueryForHostName(publicCertFile);
+		String response = manageClient.postForm("/v1/eval", "xquery", query).getBody();
+		return extractHostNameFromEvalResponse(response);
+	}
+
+	/**
+	 * Builds an XQuery query that can extract the host name from the given public certificate file.
+	 *
+	 * @param publicCertFile
+	 * @return
+	 */
+	protected String makeQueryForHostName(File publicCertFile) {
+		String certContents;
+		try {
+			certContents = new String(FileCopyUtils.copyToByteArray(publicCertFile));
+		} catch (IOException e) {
+			throw new RuntimeException("Unable to read certificate from file: " + publicCertFile + "; cause: " + e.getMessage());
+		}
+
+		return format("xdmp:x509-certificate-extract(\"%s\")/*:subject/*:commonName/fn:string()", certContents);
+	}
+
+	/**
+	 * The /v1/eval endpoint returns a multipart/mixed response that Spring 5.x does not yet seem to handle, even though
+	 * it appears that 5.2.x should. So there's some really hacky code here to extract the value of the host name
+	 * from the /v1/eval response.
+	 *
+	 * @param response
+	 * @return
+	 */
+	protected String extractHostNameFromEvalResponse(String response) {
+		final String token = "X-Primitive: string";
+		int pos = response.indexOf(token);
+		if (pos < 0) {
+			throw new IllegalArgumentException("Unable to extract host name from eval response: " + response + "; did not find: " + token);
+		}
+		response = response.substring(pos + token.length()).trim();
+		pos = response.indexOf("--");
+		if (pos < 0) {
+			throw new IllegalArgumentException("Unable to extract host name from eval response: " + response + "; did not find '--' after " + token);
+		}
+		return response.substring(0, pos).trim();
+	}
+
 	public void setPublicCertificateFileExtension(String publicCertificateFileExtension) {
 		this.publicCertificateFileExtension = publicCertificateFileExtension;
 	}

src/main/java/com/marklogic/mgmt/resource/security/CertificateTemplateManager.java

@@ -117,12 +117,21 @@ public ResponseEntity<String> insertHostCertificate(String templateIdOrName, Str
 	 * Used because ML9.0-5 (and prior) has bug for "needs-certificate" call
 	 */
 	public boolean certificateExists(String templateIdOrName) {
-		Fragment response = getCertificatesForTemplate(templateIdOrName);
-		if (logger.isDebugEnabled()) {
-			logger.debug(format("Checking if %s template has certificates --> for template: %s", templateIdOrName, response.getPrettyXml()));
-		}
+		return certificateExists(templateIdOrName, null);
+	}
 
-		return response.elementExists("/msec:certificate-list/msec:certificate");
+	/**
+	 *
+	 * @param templateIdOrName
+	 * @param certificateHostName if not null, then true will be iff a certificate with the given templateIdOrName
+	 *                            exists, and it has a host-name matching this parameter
+	 * @return
+	 */
+	public boolean certificateExists(String templateIdOrName, String certificateHostName) {
+		Fragment response = getCertificatesForTemplate(templateIdOrName);
+		return certificateHostName != null ?
+			response.elementExists(format("/msec:certificate-list/msec:certificate[msec:host-name = '%s']", certificateHostName)) :
+			response.elementExists("/msec:certificate-list/msec:certificate");
 	}
 
     public Fragment getCertificatesForTemplate(String templateIdOrName) {

src/test/java/com/marklogic/appdeployer/command/security/InsertHostCertificateTest.java

@@ -13,9 +13,57 @@
 public class InsertHostCertificateTest extends AbstractAppDeployerTest {
 
 	private final static String TEMPLATE_NAME = "sample-app-certificate-template";
+	private final static String CERTIFICATE_HOSTNAME = "host1.marklogic.com";
 
 	@Test
-	public void test() {
+	public void extractHostNameFromEvalResponse() {
+		String hostName = new InsertCertificateHostsTemplateCommand().extractHostNameFromEvalResponse("--8f04db15a117ed37\n" +
+			"Content-Type: text/plain\n" +
+			"X-Primitive: string\n" +
+			"\n" +
+			"MarkLogicBogusCA\n" +
+			"--8f04db15a117ed37--");
+		assertEquals("MarkLogicBogusCA", hostName);
+	}
+
+	@Test
+	public void unexpectedEvalResponse() {
+		try {
+			new InsertCertificateHostsTemplateCommand().extractHostNameFromEvalResponse("--8f04db15a117ed37\n" +
+				"Content-Type: text/plain\n" +
+				"\n" +
+				"MarkLogicBogusCA\n" +
+				"--8f04db15a117ed37--");
+			fail("Should have failed because X-Primitive: string is missing");
+		} catch (IllegalArgumentException ex) {
+			assertTrue(ex.getMessage().contains("did not find: X-Primitive: string"));
+		}
+	}
+
+	@Test
+	public void anotherUnexpectedEvalResponse() {
+		try {
+			new InsertCertificateHostsTemplateCommand().extractHostNameFromEvalResponse("--8f04db15a117ed37\n" +
+				"Content-Type: text/plain\n" +
+				"X-Primitive: string\n" +
+				"\n" +
+				"MarkLogicBogusCA\n");
+			fail("Should have failed because there's no '--' after X-Primitive: string");
+		} catch (IllegalArgumentException ex) {
+			assertTrue(ex.getMessage().contains("did not find '--'"));
+		}
+	}
+
+	@Test
+	public void extractHostNameFromFile() {
+		File certFile = new File("src/test/resources/sample-app/host-certificates/security/certificate-templates" +
+			"/host-certificates/sample-app-certificate-template/host1.marklogic.com.crt");
+		String hostName = new InsertCertificateHostsTemplateCommand().getCertificateHostName(certFile, manageClient);
+		assertEquals("host1.marklogic.com", hostName);
+	}
+
+	@Test
+	public void insertCertificateAndVerify() {
 		appConfig.setConfigDir(new ConfigDir(new File("src/test/resources/sample-app/host-certificates")));
 
 		initializeAppDeployer(
@@ -49,7 +97,7 @@ private void verifyHostCertificateWasInserted(CertificateTemplateManager mgr) {
 		assertTrue(templateNames.contains(TEMPLATE_NAME));
 
 		Fragment xml = mgr.getCertificatesForTemplate(TEMPLATE_NAME);
-		assertEquals("host1.marklogic.com", xml.getElementValue("/msec:certificate-list/msec:certificate/msec:host-name"));
+		assertEquals(CERTIFICATE_HOSTNAME, xml.getElementValue("/msec:certificate-list/msec:certificate/msec:host-name"));
 		assertEquals("MarkLogicBogusCA", xml.getElementValue("/msec:certificate-list/msec:certificate/cert:cert/cert:issuer/cert:commonName"));
 	}
 }