diff --git a/provider/crs-catalog-aws/build-aws/Dockerfile b/provider/crs-catalog-aws/build-aws/Dockerfile index 4915d7ce4ee0f10173739a7ef210d1afc2446deb..b531e6b6b18fbea2533af77305b061d93050707b 100644 --- a/provider/crs-catalog-aws/build-aws/Dockerfile +++ b/provider/crs-catalog-aws/build-aws/Dockerfile @@ -17,7 +17,14 @@ FROM amazoncorretto:8 ARG JAR_FILE=provider/crs-catalog-aws/target/crs-catalog-aws-*.jar WORKDIR / + +#Default to using self signed generated TLS cert +ENV USE_SELF_SIGNED_SSL_CERT true + COPY ${JAR_FILE} app.jar COPY /data/crs_catalog_v2.json /data/crs_catalog_v2.json +COPY /provider/crs-catalog-aws/build-aws/ssl.sh /ssl.sh +COPY /provider/crs-catalog-aws/build-aws/entrypoint.sh /entrypoint.sh + EXPOSE 8080 -ENTRYPOINT java $JAVA_OPTS -jar /app.jar +ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"] diff --git a/provider/crs-catalog-aws/build-aws/buildspec.yaml b/provider/crs-catalog-aws/build-aws/buildspec.yaml index 9c7186ec12456dbff3d1e13527bf3ffa4f4bd7d9..5a501a63801d2346266a2c607dab45e997081d5c 100644 --- a/provider/crs-catalog-aws/build-aws/buildspec.yaml +++ b/provider/crs-catalog-aws/build-aws/buildspec.yaml @@ -27,6 +27,8 @@ phases: runtime-versions: java: corretto8 commands: + # fix error noted here: https://github.com/yarnpkg/yarn/issues/7866 + - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - - if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi - apt-get update -y - apt-get install -y maven diff --git a/provider/crs-catalog-aws/build-aws/entrypoint.sh b/provider/crs-catalog-aws/build-aws/entrypoint.sh new file mode 100755 index 0000000000000000000000000000000000000000..9bd3ec69d01fba69f4bece2162e7faba5cc0f0cb --- /dev/null +++ b/provider/crs-catalog-aws/build-aws/entrypoint.sh @@ -0,0 +1,15 @@ + + +if [ -n $USE_SELF_SIGNED_SSL_CERT ]; +then + export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM; + export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD; + export SSL_KEY_STORE_DIR=/tmp/certs; + export SSL_KEY_STORE_NAME=osduonaws.p12; + export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME; + export SSL_KEY_ALIAS=osduonaws; + + ./ssl.sh; +fi + +java $JAVA_OPTS -jar /app.jar \ No newline at end of file diff --git a/provider/crs-catalog-aws/build-aws/ssl.sh b/provider/crs-catalog-aws/build-aws/ssl.sh new file mode 100755 index 0000000000000000000000000000000000000000..9ede565684bdd46cb09e56fce721ced55206ca07 --- /dev/null +++ b/provider/crs-catalog-aws/build-aws/ssl.sh @@ -0,0 +1,34 @@ +# Copyright © 2021 Amazon Web Services +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#!/usr/bin/env bash + +#Future: Support for using Amazon Cert Manager +# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ]; +# then + +# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc +# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123 +# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH +# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH + +# fi + +if [ -n $USE_SELF_SIGNED_SSL_CERT ]; +then + mkdir -p $SSL_KEY_STORE_DIR + pushd $SSL_KEY_STORE_DIR + keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US" + popd +fi diff --git a/provider/crs-catalog-aws/src/main/resources/application.properties b/provider/crs-catalog-aws/src/main/resources/application.properties index 1db100e34851b0f27c3f4d89061aa0f0dda01216..6faad805e27a268cfc19553c1316c896c6ac6be5 100644 --- a/provider/crs-catalog-aws/src/main/resources/application.properties +++ b/provider/crs-catalog-aws/src/main/resources/application.properties @@ -41,4 +41,11 @@ aws.elasticache.cluster.endpoint=${CACHE_CLUSTER_ENDPOINT} aws.elasticache.cluster.port=${CACHE_CLUSTER_PORT} # if this is turned on then the service tries to connect to elastic search -management.health.elasticsearch.enabled=false \ No newline at end of file +management.health.elasticsearch.enabled=false + +server.ssl.enabled=${SSL_ENABLED:true} +server.ssl.key-store-type=PKCS12 +server.ssl.key-store=${SSL_KEY_STORE_PATH:/certs/osduonaws.p12} +server.ssl.key-alias=${SSL_KEY_ALIAS:osduonaws} +server.ssl.key-password=${SSL_KEY_PASSWORD:} +server.ssl.key-store-password=${SSL_KEY_STORE_PASSWORD:} \ No newline at end of file diff --git a/testing/catalog_test_aws/jwt_client.py b/testing/catalog_test_aws/jwt_client.py index 06b4a71f0cdfa27c26691e4527897ea19ef742ad..09619c5961f8eb809e44dbc0111a64a3195dd3c9 100644 --- a/testing/catalog_test_aws/jwt_client.py +++ b/testing/catalog_test_aws/jwt_client.py @@ -18,8 +18,11 @@ import boto3; import jwt; def get_id_token(): - client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"]) - + region = os.getenv("AWS_COGNITO_REGION") + if region: + client = boto3.client('cognito-idp', region_name=region) + else: + client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"]) userAuth = client.initiate_auth( ClientId= os.environ['AWS_COGNITO_CLIENT_ID'], # UserPoolId= os.environ['AWS_COGNITO_USER_POOL_ID'], @@ -33,4 +36,4 @@ def get_id_token(): def get_invalid_token(): #generate a dummy jwt - return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8") \ No newline at end of file + return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8")