From 763385b50840deb9ec84bc09d3e40505e6884c93 Mon Sep 17 00:00:00 2001 From: Bill Wang Date: Tue, 5 Jan 2021 15:28:36 +0000 Subject: [PATCH 1/4] Squashed commit of the following commit cd743729 Author: zhijie wang Date: Sun Dec 27 2020 12:02:17 GMT-0800 (Pacific Standard Time) fix python test lib Cognito region flag --- testing/catalog_test_aws/jwt_client.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/testing/catalog_test_aws/jwt_client.py b/testing/catalog_test_aws/jwt_client.py index 06b4a71..7a88af9 100644 --- a/testing/catalog_test_aws/jwt_client.py +++ b/testing/catalog_test_aws/jwt_client.py @@ -18,8 +18,10 @@ import boto3; import jwt; def get_id_token(): - client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"]) - + if os.environ["AWS_COGNITO_REGION"]: + client = boto3.client('cognito-idp', region_name=os.environ["AWS_COGNITO_REGION"]) + else: + client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"]) userAuth = client.initiate_auth( ClientId= os.environ['AWS_COGNITO_CLIENT_ID'], # UserPoolId= os.environ['AWS_COGNITO_USER_POOL_ID'], @@ -33,4 +35,4 @@ def get_id_token(): def get_invalid_token(): #generate a dummy jwt - return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8") \ No newline at end of file + return jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256').decode("utf-8") -- GitLab From 4976aa2521abfba9325db956b3ed988d83f4e2db Mon Sep 17 00:00:00 2001 From: Bill Wang Date: Tue, 5 Jan 2021 19:43:02 +0000 Subject: [PATCH 2/4] Squashed commit of the following commit 48e844c7 Author: zhijie wang Date: Tue Jan 05 2021 11:40:00 GMT-0800 (Pacific Standard Time) fix catalog --- testing/catalog_test_aws/jwt_client.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/testing/catalog_test_aws/jwt_client.py b/testing/catalog_test_aws/jwt_client.py index 7a88af9..09619c5 100644 --- a/testing/catalog_test_aws/jwt_client.py +++ b/testing/catalog_test_aws/jwt_client.py @@ -18,8 +18,9 @@ import boto3; import jwt; def get_id_token(): - if os.environ["AWS_COGNITO_REGION"]: - client = boto3.client('cognito-idp', region_name=os.environ["AWS_COGNITO_REGION"]) + region = os.getenv("AWS_COGNITO_REGION") + if region: + client = boto3.client('cognito-idp', region_name=region) else: client = boto3.client('cognito-idp', region_name=os.environ["AWS_REGION"]) userAuth = client.initiate_auth( -- GitLab From 36ddbef951083e9a7640eeedde7b152bb63c43bd Mon Sep 17 00:00:00 2001 From: Spencer Sutton Date: Wed, 3 Feb 2021 15:22:39 +0000 Subject: [PATCH 3/4] SSL AWS commit 38b85b28 Author: Sutton Date: Fri Jan 29 2021 14:11:02 GMT-0600 (Central Standard Time) Retyring build commit 917f4b4a Author: Sutton Date: Fri Jan 29 2021 12:30:15 GMT-0600 (Central Standard Time) Adding ssl app props commit ba83ef7d Author: Sutton Date: Fri Jan 29 2021 12:13:16 GMT-0600 (Central Standard Time) Needed paths commit 01146fce Author: Sutton Date: Fri Jan 29 2021 12:02:44 GMT-0600 (Central Standard Time) Revamping ssl commit 27d377a2 Author: Sutton Date: Thu Jan 28 2021 13:48:34 GMT-0600 (Central Standard Time) Adding SSL commit 944b41bc Author: Sutton Date: Thu Jan 28 2021 13:31:40 GMT-0600 (Central Standard Time) Merge branch 'dev' of codecommit::us-east-1://default@os-crs-catalog into dev commit 345f8588 Author: Bill Wang Date: Tue Jan 05 2021 13:43:02 GMT-0600 (Central Standard Time) Squashed commit of the following commit 48e844c7 Author: zhijie wang Date: Tue Jan 05 2021 11:40:00 GMT-0800 (Pacific Standard Time) fix catalog commit 59ecf558 Author: Bill Wang Date: Tue Jan 05 2021 09:28:36 GMT-0600 (Central Standard Time) Squashed commit of the following commit cd743729 Author: zhijie wang Date: Sun Dec 27 2020 12:02:17 GMT-0800 (Pacific Standard Time) fix python test lib Cognito region flag --- provider/crs-catalog-aws/build-aws/Dockerfile | 9 ++++- .../crs-catalog-aws/build-aws/entrypoint.sh | 15 ++++++++ provider/crs-catalog-aws/build-aws/ssl.sh | 34 +++++++++++++++++++ .../src/main/resources/application.properties | 9 ++++- 4 files changed, 65 insertions(+), 2 deletions(-) create mode 100755 provider/crs-catalog-aws/build-aws/entrypoint.sh create mode 100755 provider/crs-catalog-aws/build-aws/ssl.sh diff --git a/provider/crs-catalog-aws/build-aws/Dockerfile b/provider/crs-catalog-aws/build-aws/Dockerfile index 4915d7c..b531e6b 100644 --- a/provider/crs-catalog-aws/build-aws/Dockerfile +++ b/provider/crs-catalog-aws/build-aws/Dockerfile @@ -17,7 +17,14 @@ FROM amazoncorretto:8 ARG JAR_FILE=provider/crs-catalog-aws/target/crs-catalog-aws-*.jar WORKDIR / + +#Default to using self signed generated TLS cert +ENV USE_SELF_SIGNED_SSL_CERT true + COPY ${JAR_FILE} app.jar COPY /data/crs_catalog_v2.json /data/crs_catalog_v2.json +COPY /provider/crs-catalog-aws/build-aws/ssl.sh /ssl.sh +COPY /provider/crs-catalog-aws/build-aws/entrypoint.sh /entrypoint.sh + EXPOSE 8080 -ENTRYPOINT java $JAVA_OPTS -jar /app.jar +ENTRYPOINT ["/bin/sh", "-c", ". /entrypoint.sh"] diff --git a/provider/crs-catalog-aws/build-aws/entrypoint.sh b/provider/crs-catalog-aws/build-aws/entrypoint.sh new file mode 100755 index 0000000..9bd3ec6 --- /dev/null +++ b/provider/crs-catalog-aws/build-aws/entrypoint.sh @@ -0,0 +1,15 @@ + + +if [ -n $USE_SELF_SIGNED_SSL_CERT ]; +then + export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM; + export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD; + export SSL_KEY_STORE_DIR=/tmp/certs; + export SSL_KEY_STORE_NAME=osduonaws.p12; + export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME; + export SSL_KEY_ALIAS=osduonaws; + + ./ssl.sh; +fi + +java $JAVA_OPTS -jar /app.jar \ No newline at end of file diff --git a/provider/crs-catalog-aws/build-aws/ssl.sh b/provider/crs-catalog-aws/build-aws/ssl.sh new file mode 100755 index 0000000..9ede565 --- /dev/null +++ b/provider/crs-catalog-aws/build-aws/ssl.sh @@ -0,0 +1,34 @@ +# Copyright © 2021 Amazon Web Services +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#!/usr/bin/env bash + +#Future: Support for using Amazon Cert Manager +# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ]; +# then + +# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc +# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123 +# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH +# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH + +# fi + +if [ -n $USE_SELF_SIGNED_SSL_CERT ]; +then + mkdir -p $SSL_KEY_STORE_DIR + pushd $SSL_KEY_STORE_DIR + keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US" + popd +fi diff --git a/provider/crs-catalog-aws/src/main/resources/application.properties b/provider/crs-catalog-aws/src/main/resources/application.properties index 1db100e..6faad80 100644 --- a/provider/crs-catalog-aws/src/main/resources/application.properties +++ b/provider/crs-catalog-aws/src/main/resources/application.properties @@ -41,4 +41,11 @@ aws.elasticache.cluster.endpoint=${CACHE_CLUSTER_ENDPOINT} aws.elasticache.cluster.port=${CACHE_CLUSTER_PORT} # if this is turned on then the service tries to connect to elastic search -management.health.elasticsearch.enabled=false \ No newline at end of file +management.health.elasticsearch.enabled=false + +server.ssl.enabled=${SSL_ENABLED:true} +server.ssl.key-store-type=PKCS12 +server.ssl.key-store=${SSL_KEY_STORE_PATH:/certs/osduonaws.p12} +server.ssl.key-alias=${SSL_KEY_ALIAS:osduonaws} +server.ssl.key-password=${SSL_KEY_PASSWORD:} +server.ssl.key-store-password=${SSL_KEY_STORE_PASSWORD:} \ No newline at end of file -- GitLab From cab23fc238f3ea2b756afbeb833d39b98e2c3855 Mon Sep 17 00:00:00 2001 From: Sutton Date: Wed, 3 Feb 2021 10:10:10 -0600 Subject: [PATCH 4/4] ubuntu expired key fix --- provider/crs-catalog-aws/build-aws/buildspec.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/provider/crs-catalog-aws/build-aws/buildspec.yaml b/provider/crs-catalog-aws/build-aws/buildspec.yaml index 9c7186e..5a501a6 100644 --- a/provider/crs-catalog-aws/build-aws/buildspec.yaml +++ b/provider/crs-catalog-aws/build-aws/buildspec.yaml @@ -27,6 +27,8 @@ phases: runtime-versions: java: corretto8 commands: + # fix error noted here: https://github.com/yarnpkg/yarn/issues/7866 + - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - - if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi - apt-get update -y - apt-get install -y maven -- GitLab