From c5ff728dc7e2b71fd9150138970f44a0ecd8576a Mon Sep 17 00:00:00 2001
From: Spencer Sutton <suttonsp@amazon.com>
Date: Wed, 3 Feb 2021 15:19:16 +0000
Subject: [PATCH] SSL AWS
commit 197fe901
Author: Sutton <suttonsp@147dda3a90de.ant.amazon.com>
Date: Fri Jan 29 2021 12:48:17 GMT-0600 (Central Standard Time)
Updating paths
commit f1511504
Author: Sutton <suttonsp@147dda3a90de.ant.amazon.com>
Date: Fri Jan 29 2021 12:43:23 GMT-0600 (Central Standard Time)
Adding ssl
commit 9bd86a9d
Author: Bill Wang <wanzhiji@amazon.com>
Date: Mon Jan 04 2021 16:27:35 GMT-0600 (Central Standard Time)
Squashed commit of the following
commit 04e49a0d
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 28 2020 19:10:30 GMT-0800 (Pacific Standard Time)
fix Cognito region services
commit fca15a32
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 28 2020 13:56:14 GMT-0800 (Pacific Standard Time)
commit eaf5dcc4
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 28 2020 13:35:25 GMT-0800 (Pacific Standard Time)
fix cognito client
commit 9ceee335
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 28 2020 13:20:15 GMT-0800 (Pacific Standard Time)
bump core service version
commit 30d44fe4
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 21 2020 15:03:10 GMT-0800 (Pacific Standard Time)
fix pom version
commit f0066a25
Author: wanzhiji <wanzhiji@amazon.com>
Date: Tue Dec 22 2020 10:29:39 GMT-0600 (Central Standard Time)
Squashed commit of the following
commit 30d44fe4
Author: zhijie wang <wanzhiji@amazon.com>
Date: Mon Dec 21 2020 15:03:10 GMT-0800 (Pacific Standard Time)
fix pom version
---
.../notification-aws/build-aws/Dockerfile | 9 ++++-
.../notification-aws/build-aws/entrypoint.sh | 15 ++++++++
provider/notification-aws/build-aws/ssl.sh | 34 +++++++++++++++++++
.../src/main/resources/application.properties | 9 ++++-
4 files changed, 65 insertions(+), 2 deletions(-)
create mode 100755 provider/notification-aws/build-aws/entrypoint.sh
create mode 100755 provider/notification-aws/build-aws/ssl.sh
diff --git a/provider/notification-aws/build-aws/Dockerfile b/provider/notification-aws/build-aws/Dockerfile
index c24b95cd8..9e95e62d6 100644
--- a/provider/notification-aws/build-aws/Dockerfile
+++ b/provider/notification-aws/build-aws/Dockerfile
@@ -18,7 +18,14 @@ FROM amazoncorretto:8
ARG JAR_FILE=provider/notification-aws/target/*spring-boot.jar
# Harcoding this value since Notification-core requires this variable. AWS does not use it. Might change in future
ENV ENVIRONMENT=DEV
+
+#Default to using self signed generated TLS cert
+ENV USE_SELF_SIGNED_SSL_CERT true
+
WORKDIR /
COPY ${JAR_FILE} app.jar
+COPY /provider/notification-aws/build-aws/ssl.sh /ssl.sh
+COPY /provider/notification-aws/build-aws/entrypoint.sh /entrypoint.sh
EXPOSE 8080
-ENTRYPOINT java $JAVA_OPTS -jar /app.jar
+
+ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"]
\ No newline at end of file
diff --git a/provider/notification-aws/build-aws/entrypoint.sh b/provider/notification-aws/build-aws/entrypoint.sh
new file mode 100755
index 000000000..9bd3ec69d
--- /dev/null
+++ b/provider/notification-aws/build-aws/entrypoint.sh
@@ -0,0 +1,15 @@
+
+
+if [ -n $USE_SELF_SIGNED_SSL_CERT ];
+then
+ export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM;
+ export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD;
+ export SSL_KEY_STORE_DIR=/tmp/certs;
+ export SSL_KEY_STORE_NAME=osduonaws.p12;
+ export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME;
+ export SSL_KEY_ALIAS=osduonaws;
+
+ ./ssl.sh;
+fi
+
+java $JAVA_OPTS -jar /app.jar
\ No newline at end of file
diff --git a/provider/notification-aws/build-aws/ssl.sh b/provider/notification-aws/build-aws/ssl.sh
new file mode 100755
index 000000000..9ede56568
--- /dev/null
+++ b/provider/notification-aws/build-aws/ssl.sh
@@ -0,0 +1,34 @@
+# Copyright © 2021 Amazon Web Services
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/usr/bin/env bash
+
+#Future: Support for using Amazon Cert Manager
+# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
+# then
+
+# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
+# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
+# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
+# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
+
+# fi
+
+if [ -n $USE_SELF_SIGNED_SSL_CERT ];
+then
+ mkdir -p $SSL_KEY_STORE_DIR
+ pushd $SSL_KEY_STORE_DIR
+ keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US"
+ popd
+fi
diff --git a/provider/notification-aws/src/main/resources/application.properties b/provider/notification-aws/src/main/resources/application.properties
index 0b12d5c28..8c09e85af 100644
--- a/provider/notification-aws/src/main/resources/application.properties
+++ b/provider/notification-aws/src/main/resources/application.properties
@@ -1,4 +1,4 @@
-# Copyright © 2020 Amazon Web Services
+# Copyright � 2020 Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -43,3 +43,10 @@ logging.mdccontext.enabled=true
# if this is turned on then the service tries to connect to elastic search
management.health.elasticsearch.enabled=false
+
+server.ssl.enabled=${SSL_ENABLED:true}
+server.ssl.key-store-type=PKCS12
+server.ssl.key-store=${SSL_KEY_STORE_PATH:/certs/osduonaws.p12}
+server.ssl.key-alias=${SSL_KEY_ALIAS:osduonaws}
+server.ssl.key-password=${SSL_KEY_PASSWORD:}
+server.ssl.key-store-password=${SSL_KEY_STORE_PASSWORD:}
\ No newline at end of file
--
GitLab