Merge branch 'dev' of codecommit://os-crs-catalog into aws-integration

90f9d117 · Sutton · 1fa8febe · cab23fc2 · 90f9d117 · 90f9d117
Commit 90f9d117 authored Feb 18, 2021 by Sutton
--- a/provider/crs-catalog-aws/build-aws/Dockerfile
+++ b/provider/crs-catalog-aws/build-aws/Dockerfile
@@ -17,7 +17,14 @@ FROM amazoncorretto:8

 ARG JAR_FILE=provider/crs-catalog-aws/target/crs-catalog-aws-*.jar
 WORKDIR /
+
+#Default to using self signed generated TLS cert
+ENV USE_SELF_SIGNED_SSL_CERT true
+
 COPY ${JAR_FILE} app.jar
 COPY /data/crs_catalog_v2.json /data/crs_catalog_v2.json
+COPY /provider/crs-catalog-aws/build-aws/ssl.sh /ssl.sh
+COPY /provider/crs-catalog-aws/build-aws/entrypoint.sh /entrypoint.sh
+
 EXPOSE 8080
-ENTRYPOINT java $JAVA_OPTS -jar /app.jar
+ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"]
--- a/provider/crs-catalog-aws/build-aws/buildspec.yaml
+++ b/provider/crs-catalog-aws/build-aws/buildspec.yaml
@@ -27,6 +27,8 @@ phases:
    runtime-versions:
      java: corretto8
    commands:
+      # fix error noted here: https://github.com/yarnpkg/yarn/issues/7866
+      - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
      - if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c  ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi
      - apt-get update -y
      - apt-get install -y maven

--- a/provider/crs-catalog-aws/build-aws/entrypoint.sh
+++ b/provider/crs-catalog-aws/build-aws/entrypoint.sh
+
+
+if [ -n $USE_SELF_SIGNED_SSL_CERT ];
+then    
+    export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM;
+    export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD;
+    export SSL_KEY_STORE_DIR=/tmp/certs;
+    export SSL_KEY_STORE_NAME=osduonaws.p12;
+    export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME;
+    export SSL_KEY_ALIAS=osduonaws;
+    
+    ./ssl.sh;
+fi
+
+java $JAVA_OPTS -jar /app.jar
\ No newline at end of file
--- a/provider/crs-catalog-aws/build-aws/ssl.sh
+++ b/provider/crs-catalog-aws/build-aws/ssl.sh
+# Copyright © 2021 Amazon Web Services
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/usr/bin/env bash
+
+#Future: Support for using Amazon Cert Manager
+# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
+# then
+
+#   aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
+#   openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
+#   aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
+#   aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
+
+# fi
+
+if [ -n $USE_SELF_SIGNED_SSL_CERT ];
+then
+    mkdir -p $SSL_KEY_STORE_DIR
+    pushd $SSL_KEY_STORE_DIR
+    keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US"
+    popd
+fi
--- a/provider/crs-catalog-aws/src/main/resources/application.properties
+++ b/provider/crs-catalog-aws/src/main/resources/application.properties
@@ -41,4 +41,11 @@ aws.elasticache.cluster.endpoint=${CACHE_CLUSTER_ENDPOINT}
 aws.elasticache.cluster.port=${CACHE_CLUSTER_PORT}

 # if this is turned on then the service tries to connect to elastic search
-management.health.elasticsearch.enabled=false
\ No newline at end of file
+management.health.elasticsearch.enabled=false
+
+server.ssl.enabled=${SSL_ENABLED:true}
+server.ssl.key-store-type=PKCS12
+server.ssl.key-store=${SSL_KEY_STORE_PATH:/certs/osduonaws.p12}
+server.ssl.key-alias=${SSL_KEY_ALIAS:osduonaws}
+server.ssl.key-password=${SSL_KEY_PASSWORD:}
+server.ssl.key-store-password=${SSL_KEY_STORE_PASSWORD:}
\ No newline at end of file
--- a/testing/catalog_test_aws/jwt_client.py
+++ b/testing/catalog_test_aws/jwt_client.py
@@ -18,8 +18,11 @@ import boto3;
 import jwt;

 def get_id_token():
-    client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"])
-
+    region = os.getenv("AWS_COGNITO_REGION")
+    if region:
+        client = boto3.client('cognito-idp', region_name=region)
+    else:
+        client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"])
    userAuth = client.initiate_auth(
        ClientId= os.environ['AWS_COGNITO_CLIENT_ID'],
        # UserPoolId= os.environ['AWS_COGNITO_USER_POOL_ID'],
@@ -33,4 +36,4 @@ def get_id_token():

 def get_invalid_token():
    #generate a dummy jwt
-    return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8")
\ No newline at end of file
+    return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8")